A number of vulnerabilities have been reported in PHP (the language in which SMF is written) which may allow attackers to compromise your site and/or server. While this is not SMF's fault, and indeed affects a huge number of respected PHP programs, patching it by upgrading PHP (the preferred method) or applying our own SMF patch is regarded as a critical update.
To patch these vulnerabilities in PHP completely, you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 (http://www.php.net/release_4_3_10.php) or 5.0.3. However, be aware of a problem some people have encountered after upgrading PHP (http://www.simplemachines.org/community/index.php?topic=21787.0).
If this is not possible for some reason (or cannot be done immediately), you should download and apply the security patch available in the package manager, or extract and upload the attached zip file (for RC2 - a separate file (http://www.simplemachines.org/community/index.php?topic=22012.0) is available for Charter Members.) The files on the downloads page have already been updated so, if you downloaded them after this post was made, you're fine already. This patch is not required if your PHP version has been upgraded, although it will not cause any problems if installed.
We're still looking into the repercussions of some of the security holes found, but are committed to dealing with problems of this nature promptly, whatever the cause.
Regards,
Simple Machines
What are the results if this patch is applied and the host then upgrades?
Will both the patch and .10 play nice together?
Quote from: tjay on December 21, 2004, 08:23:00 PM
Will both the patch and .10 play nice together?
Yes, this patch is designed to work fine with upgraded versions of PHP as well. :)
thanx a lot for the patch!!
Patched and ready to go 8)
SMF 1.0 (preview). is vulnerability?
I click in the package manager for the patch, and I get: Unable to find package file!
Did I do something wrong?
Rob
got an error too, but grabbed the attached file from Peter's msg above and uploaded the package content via ftp immediatly.
Quote from: [darksteel] on December 21, 2004, 09:27:57 PM
SMF 1.0 (preview). is vulnerability?
No, a vulnerability in PHP. But this fixes it, or at least one aspect thereof.
-[Unknown]
Quote from: Peter Duggan on December 21, 2004, 07:57:30 PM
you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 (http://www.php.net/release_4_3_10.php) or 5.0.3.
I thought I'd seen something on this forum suggesting that SMF wasn't officially supported on PHP5 yet. Has that changed now or is my memory playing tricks?
Worked fine when my forums were on php5. ..
PHP 5 is officially supported by SMF ^_^.
-[Unknown]
I must have shorted another brain cell out then ;D
packet manager worked fine, and also my forum is running under php5 and it works great.
Sweet update like usual, no troubles at all. :)
:-[ Ahhh! That's what my host was talking about. 3 of their clients' site's got "cracked" in a night, so they upgraded to PHP 4.3.10! But then they realised that the Zend version was 2.5.5 :-[ Bad day! Ah well it's fixed now, I hope!
incase its not have your web host follow the direction i made in this post.
http://www.simplemachines.org/community/index.php?topic=22047.0
Hmm, I'm getting this error when I try to install via Package Manager:
There are no installation or uninstallation actions defined!
I've made sure that Packages is chmod'ed right and everything.
I guess I'll just do it the old fashioned way. ;)
Edit: Upgrade went well. I guess uploading two files wasn't that bad. :P
As the patch wasn't in the package manager, I downloaded it here. Unfortunately, I keep geting this error:
"The package you are trying to upload is invalid or broken". I tried downloading it again - same results.
Quote from: Winters on December 22, 2004, 01:33:55 PM
As the patch wasn't in the package manager, I downloaded it here. Unfortunately, I keep geting this error:
"The package you are trying to upload is invalid or broken". I tried downloading it again - same results.
The file attached to the first post is not a patch that the package manager can deal with.
-[Unknown]
Oh, I didn't read the instructions carefully enough...
Patch installed from package manager... no problem..
My PHP was already at the recommended version but it didn't hurt
Thanks SMF
What does the patch from SMF do, like in general?
It just makes SMF validate the data such that the bug in PHP cannot be so easily exploited - at least through SMF.
For example, I could easily crash PHP (and thus Apache) on any server still running PHP 4.3.9 with SMF without this patch or phpBB, and some other softwares...
-[Unknown]
I must say this patch is a resassurance from SMF to show that they are winning the war.
Thanks for the warning guys, truely appreciated.
Keep up the good work... and Happy Holidays! 8)
I have yet to find a package that the manager will successfully install for me (suspect safe-mode issue)... have to do all manually.
In the included package-info.xml file found in php_4-3-9_fix.tar.gz , it reads:
ATTENTION: If you are trying to install this manually, you should try
the package manager. If it will not work for you, please take a look
at the following for information on this format:
http://mods.simplemachines.org/docs/manual-install.php
This page simply resolves to http://www.simplemachines.org/ ... is this intended?
Thanks
Bill
The manual install page probably isn't done yet. Just use the file attached to the first post of this topic and upload the two files to your server - that shall fix it.
Thanks .. already did the search/replace actions manually for Load.php and Search.php
A Merry Christmas and Happy Holidays
What a prompt and decisive response from the Dev Team.
Thanks guys.
so I GUESS we had to replace those files in the Source folder, right? to bad that everyone assume that we know how to apply this patch... since it can't be applied by the Package manager :
Package Manager - Install Actions
Install Actions for archive php_4-3-9_fix.tar.gz:
Installing this package will perform the following actions:
Type Action Description
1. Execute Modification ./Sources/Load.php Failure
2. Execute Modification ./Sources/Search.php Failure
so I did replace those files but I don,t know yet if it is the right thing to do , IS IT?
it is ;)
merci ;) it is very frustrating to wake up in the morning and have his forum being defaced by a virus... the good thing is that by reinstalling the forum the whole thing went back to normal by itself .... the database was untouched... good ..
My host has upgraded to php 4.3.10 with the new zend 2.5.7 with the new apache as well
My forum is now a very stylish white screen.
It does not apear to have the virus.
Is there a problem at hosting end?
I am wondering if the Zend Optimizer or any other PHP acceleration software been updated as well?
did you take a look at your phpinfo to see if all versions are correct?
Quote from: kiwi on December 23, 2004, 03:29:22 AM
My host has upgraded to php 4.3.10 with the new zend 2.5.7 with the new apache as well
My forum is now a very stylish white screen.
It does not apear to have the virus.
Is there a problem at hosting end?
I am wondering if the Zend Optimizer or any other PHP acceleration software been updated as well?
Yes your host needs to update the acceleration software - most use Zend but some use ioncube.
Have checked versions:
PHP Version 4.3.10
This program makes use of the Zend Scripting Language Engine:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies with Zend Extension Manager v1.0.3, Copyright (c) 2003-2004, by Zend Technologies with Zend Optimizer v2.5.3, Copyright (c) 1998-2004, by Zend Technologies
make any sense?
with Zend Optimizer v2.5.3
they need toupgrade zend
They said they were using zend 2.5.7 but can't be
Will check up
Thanks
Quote from: kiwi on December 23, 2004, 04:01:32 AM
They said they were using zend 2.5.7 but can't be
Will check up
Thanks
They may not have done it properly (sometimes it's tricky) or they may not have restarted Apache since.
-[Unknown]
Thanks for you help. Will see how they get on with the trouble ticket.
Quote from: sirius on December 22, 2004, 10:26:21 PM
Package Manager - Install Actions
Install Actions for archive php_4-3-9_fix.tar.gz:
Installing this package will perform the following actions:
Type Action Description
1. Execute Modification ./Sources/Load.php Failure
2. Execute Modification ./Sources/Search.php Failure
i have the same problem. i uploaded the 2 files by ftp(/Sources). but the problem is still the same.
how may i correct this failure?
thanks,
carhartt
No, the two files are an alternative to the package. If you've uploaded the two files then you are done.
ok, thx! :)
Ya. My site was hacked because of this.
Quote from: ROGUE-Master on December 23, 2004, 10:00:04 AM
Ya. My site was hacked because of this.
I highly doubt it was because of this but would suspect it was down to the phpbb exploit.
Updated my 3 forums, on 2 different hosts, via the Package Manager.
No problems at all :)
Upgraded 4.3.9 to 4.3.10 :)
Why not 5.0.3 ;) ?
Applied the patch "successfully".
Now I can't login to the forum. Well...I can't on Firefox. I got the same error on IE, but then clicked the Home button and I was logged in. It didn't do the same on Firefox.
You were unable to login. Please check your cookie settings.
Hmm... what version of PHP are you using? Can I have a link and test account?
-[Unknown]
Ah, no patch from 5.0.2 to 5.0.3? Do I have to do a fresh install?
Quote from: hbidad on December 29, 2004, 05:23:11 AM
Ah, no patch from 5.0.2 to 5.0.3? Do I have to do a fresh install?
Not sure whether you're asking about patching PHP (don't think you can) or SMF but, if you're currently on PHP 5.0.2, you need PHP 5.0.3 (the preferred solution) and/or our SMF patch.
Thanks for the reply! I have a custom install version of php (meaning that they are not in the defualt directories and are spread out) Could I manualy just the files over the old ones or would I have to use an installer? I am not certain if the new version makes any registry entries. Could I keep my old php.ini file
Sorry for the newbie questions, usally I would read up on this but I would rather get this patched ASAP.
A small (newbie) question : any known drawbacks regarding my configuration which works prefectly
Apache/2.0.52 (Win32) PHP/5.0.3
MySql 3.1.8 edit should read 4.1.8
Quote from: hbidad on December 29, 2004, 06:20:07 PM
Sorry for the newbie questions, usally I would read up on this but I would rather get this patched ASAP.
Don't take this the wrong way, but... do you even use SMF ^_^?
This forum is for... well, forum software written in PHP using MySQL. Specifically, the forum software you're using now, if you're reading this message.
That said, I'm not sure if there's a patch, but I'd personally use bonsai (http://bonsai.php.net/cvsqueryform.cgi) to try to figure out what changes were made - or just browse the source (http://cvs.php.net/). I assume they use tags or branches for the releases, so it shouldn't be that difficult to find the commits on whatever tag/branch 4.3.10 was made.
Quote from: allfripou on December 29, 2004, 07:32:19 PM
A small (newbie) question : any known drawbacks regarding my configuration which works prefectly
Apache/2.0.52 (Win32) PHP/5.0.3
MySql 3.1.8
Is that MySQL version for real? SMF doesn't support any version of MySQL below 3.23.4... but, from your version, I'm going to hope you're actually using MySQL 4.1.8, which is a fairly recent version and very much recommended.
-[Unknown]
sorry 4.1.8 of course and thks [Unknown]
With the new release of SMF 1.0 final, should the PHP security patch be applied, or 1.0 is already patched?
Quote from: 1948Pal on December 31, 2004, 12:23:57 AM
With the new release of SMF 1.0 final, should the PHP security patch be applied, or 1.0 is already patched?
1.0 has our patch applied, no need to put it in manually. But you should still upgrade PHP.
I should pay more attention, I know..
I've noticed that my host is running 4.3.4.. are there any probs known with this?
here is my config:
PHP built On: FreeBSD netexp.34sp.com 4.9-STABLE FreeBSD 4.9-STABLE #0: Wed Jan i386
Database Version: 3.23.58
PHP Version: 4.3.4
Web Server: Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2.2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
notice the MySQL is a bit old as well. What do you recommend I should ask for? ???
Thx
Tiff
Well I would have thought that the most urgent would be an upgrade to PHP 4.3.10 together with the required Zend upgrade ;)
What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.
TIA
Tom
Quote from: rvforumite on March 02, 2005, 05:09:04 PM
What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.
It doesn't matter.
Why chmod 777 is NOT a security risk (http://www.simplemachines.org/community/index.php?topic=2987.0)
-[Unknown]
Quote from: Peter Duggan on December 21, 2004, 07:57:30 PM
A number of vulnerabilities have been reported in PHP (the language in which SMF is written) which may allow attackers to compromise your site and/or server. While this is not SMF's fault, and indeed affects a huge number of respected PHP programs, patching it by upgrading PHP (the preferred method) or applying our own SMF patch is regarded as a critical update.
To patch these vulnerabilities in PHP completely, you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 (http://www.php.net/release_4_3_10.php) or 5.0.3. However, be aware of a problem some people have encountered after upgrading PHP (http://www.simplemachines.org/community/index.php?topic=21787.0).
If this is not possible for some reason (or cannot be done immediately), you should download and apply the security patch available in the package manager, or extract and upload the attached zip file (for RC2 - a separate file (http://www.simplemachines.org/community/index.php?topic=22012.0) is available for Charter Members.) The files on the downloads page have already been updated so, if you downloaded them after this post was made, you're fine already. This patch is not required if your PHP version has been upgraded, although it will not cause any problems if installed.
We're still looking into the repercussions of some of the security holes found, but are committed to dealing with problems of this nature promptly, whatever the cause.
Regards,
Simple Machines
Would I still need this say for TVWorlds.com or is this concerning an earlier version?
no :)
Cool TY
Thanks for the updates, my site was hacked too.
This topic hasnt been posted in for nearly two years...
This patch was for 1.0 RC2. It is included by default..
-AwwLilMaggie
Quote from: AwwLilMaggie on January 12, 2007, 10:50:15 AM
This topic hasnt been posted in for nearly two years...
This patch was for 1.0 RC2. It is included by default..
-AwwLilMaggie
Is there a new vulnerability that is out and being exploited?
http://www.surmunity.com/showthread.php?p=232560#post232560
What makes him think SMF is to blame? The fact that wordpress was compromised make me suspect that this is not SMF related at all.
I find it quite invidious when people claim "SMF hacked" without even producing a single piece of evidence to show that it was to blame.