News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

PHP Vulnerabilities (Critical Update/Patch)

Started by Peter Duggan, December 21, 2004, 07:57:30 PM

Previous topic - Next topic

Winters

Oh, I didn't read the instructions carefully enough...

bigmo

Patch installed from package manager... no problem..
My PHP was already at the recommended version but it didn't hurt

Thanks SMF

Trekkie101

What does the patch from SMF do, like in general?

[Unknown]

It just makes SMF validate the data such that the bug in PHP cannot be so easily exploited - at least through SMF.

For example, I could easily crash PHP (and thus Apache) on any server still running PHP 4.3.9 with SMF without this patch or phpBB, and some other softwares...

-[Unknown]

Trekkie101

I must say this patch is a resassurance from SMF to show that they are winning the war.

Monkey

Thanks for the warning guys, truely appreciated.

Keep up the good work... and Happy Holidays!  8)

bcswebco.com

I have yet to find a package that the manager will successfully install for me (suspect safe-mode issue)... have to do all manually.

In the included package-info.xml file found in php_4-3-9_fix.tar.gz , it reads:

   ATTENTION: If you are trying to install this manually, you should try
   the package manager.  If it will not work for you, please take a look
   at the following for information on this format:
      http://mods.simplemachines.org/docs/manual-install.php

This page simply resolves to http://www.simplemachines.org/  ... is this intended?


Thanks

Bill

Grudge

The manual install page probably isn't done yet. Just use the file attached to the first post of this topic and upload the two files to your server - that shall fix it.
I'm only a half geek really...

bcswebco.com

Thanks  .. already did the search/replace actions manually for Load.php and Search.php

A Merry Christmas and Happy Holidays

Fizzy

What a prompt and decisive response from the Dev Team.

Thanks guys. 
"Reality is merely an illusion, albeit a very persistent one." - A.E.


Sirius

   so I GUESS we had to replace those files in the Source folder,  right?      to bad that everyone assume that we know how to apply this patch...  since it can't be applied by the Package manager  :

Package Manager - Install Actions
Install Actions for archive php_4-3-9_fix.tar.gz:
Installing this package will perform the following actions:
   Type    Action    Description
1.    Execute Modification    ./Sources/Load.php    Failure
2.    Execute Modification    ./Sources/Search.php    Failure


  so I did replace those files  but I don,t know yet if it is the right thing to do  ,  IS IT?


Sirius

  merci   ;)   it is very frustrating to wake up in the morning and have his forum being defaced by a virus...  the good thing is that by reinstalling the forum the whole thing went back to normal by itself ....  the database was untouched...  good  ..

kiwi

My host has upgraded to php 4.3.10  with the new zend 2.5.7 with the new apache as well

My forum is now a very stylish white screen.
It does not apear to have the virus.

Is there a problem at hosting end?
I am wondering if the Zend Optimizer or any other PHP acceleration software been updated as well?

Jerry

did you take a look at your phpinfo to see if all versions are correct?


- Jerry
Find me on:
Facebook
Twitter
PlanetSMF

"If all you look for is the negative in things, you will never see the positive."

Tony Reid

Quote from: kiwi on December 23, 2004, 03:29:22 AM
My host has upgraded to php 4.3.10 with the new zend 2.5.7 with the new apache as well

My forum is now a very stylish white screen.
It does not apear to have the virus.

Is there a problem at hosting end?
I am wondering if the Zend Optimizer or any other PHP acceleration software been updated as well?

Yes your host needs to update the acceleration software - most use Zend but some use ioncube.

Tony Reid

kiwi

Have checked versions:

PHP Version 4.3.10

This program makes use of the Zend Scripting Language Engine:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies with Zend Extension Manager v1.0.3, Copyright (c) 2003-2004, by Zend Technologies with Zend Optimizer v2.5.3, Copyright (c) 1998-2004, by Zend Technologies

make any sense?

Jerry

with Zend Optimizer v2.5.3
they need toupgrade zend


- Jerry
Find me on:
Facebook
Twitter
PlanetSMF

"If all you look for is the negative in things, you will never see the positive."

kiwi

They said they were using zend 2.5.7 but can't be
Will check up
Thanks

[Unknown]

Quote from: kiwi on December 23, 2004, 04:01:32 AM
They said they were using zend 2.5.7 but can't be
Will check up
Thanks

They may not have done it properly (sometimes it's tricky) or they may not have restarted Apache since.

-[Unknown]

Advertisement: