News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

PHP Vulnerabilities (Critical Update/Patch)

Started by Peter Duggan, December 21, 2004, 07:57:30 PM

Previous topic - Next topic

kiwi

Thanks for you help. Will see how they get on with the trouble ticket.



carhartt

Quote from: sirius on December 22, 2004, 10:26:21 PM
Package Manager - Install Actions
Install Actions for archive php_4-3-9_fix.tar.gz:
Installing this package will perform the following actions:
   Type    Action    Description
1.    Execute Modification    ./Sources/Load.php    Failure
2.    Execute Modification    ./Sources/Search.php    Failure

i have the same problem. i uploaded the 2 files by ftp(/Sources). but the problem is still the same.
how may i correct this failure?

thanks,

carhartt
straight is great! ;)

Grudge

No, the two files are an alternative to the package. If you've uploaded the two files then you are done.
I'm only a half geek really...

carhartt

straight is great! ;)

ROGUE-Master


Ben_S

Quote from: ROGUE-Master on December 23, 2004, 10:00:04 AM
Ya. My site was hacked because of this.

I highly doubt it was because of this but would suspect it was down to the phpbb exploit.
Liverpool FC Forum with 14 million+ posts.

Gray

Updated my 3 forums, on 2 different hosts, via the Package Manager.
No problems at all :)
Gray

LiroyvH

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Webby


stevej

#49
Applied the patch "successfully".

Now I can't login to the forum.  Well...I can't on Firefox.  I got the same error on IE, but then clicked the Home button and I was logged in.  It didn't do the same on Firefox.

You were unable to login. Please check your cookie settings.

[Unknown]

Hmm... what version of PHP are you using?  Can I have a link and test account?

-[Unknown]

hbidad

Ah, no patch from 5.0.2 to 5.0.3? Do I have to do a fresh install?

Peter Duggan

Quote from: hbidad on December 29, 2004, 05:23:11 AM
Ah, no patch from 5.0.2 to 5.0.3? Do I have to do a fresh install?

Not sure whether you're asking about patching PHP (don't think you can) or SMF but, if you're currently on PHP 5.0.2, you need PHP 5.0.3 (the preferred solution) and/or our SMF patch.

hbidad

Thanks for the reply! I have a custom install version of php (meaning that they are not in the defualt directories and are spread out) Could I manualy just the files over the old ones or would I have to use an installer? I am not certain if the new version makes any registry entries. Could I keep my old php.ini file

Sorry for the newbie questions, usally I would read up on this but I would rather get this patched ASAP.

allfripou

#54
A small (newbie) question : any known drawbacks  regarding my configuration which works prefectly

Apache/2.0.52 (Win32) PHP/5.0.3
MySql 3.1.8 edit should read 4.1.8


[Unknown]

Quote from: hbidad on December 29, 2004, 06:20:07 PM
Sorry for the newbie questions, usally I would read up on this but I would rather get this patched ASAP.

Don't take this the wrong way, but... do you even use SMF ^_^?

This forum is for... well, forum software written in PHP using MySQL.  Specifically, the forum software you're using now, if you're reading this message.

That said, I'm not sure if there's a patch, but I'd personally use bonsai to try to figure out what changes were made - or just browse the source.  I assume they use tags or branches for the releases, so it shouldn't be that difficult to find the commits on whatever tag/branch 4.3.10 was made.

Quote from: allfripou on December 29, 2004, 07:32:19 PM
A small (newbie) question : any known drawbacks  regarding my configuration which works prefectly

Apache/2.0.52 (Win32) PHP/5.0.3
MySql 3.1.8

Is that MySQL version for real?  SMF doesn't support any version of MySQL below 3.23.4... but, from your version, I'm going to hope you're actually using MySQL 4.1.8, which is a fairly recent version and very much recommended.

-[Unknown]

allfripou


1948Pal

With the new release of SMF 1.0 final, should the PHP security patch be applied, or 1.0 is already patched?
"No matter how long the river, the river will reach the sea".
Eugene Fitch Ware

Meriadoc

Quote from: 1948Pal on December 31, 2004, 12:23:57 AM
With the new release of SMF 1.0 final, should the PHP security patch be applied, or 1.0 is already patched?
1.0 has our patch applied, no need to put it in manually. But you should still upgrade PHP.
If I know the way home and am walking along it drunkenly, is it any less the right way because I am staggering from side to side? : Leo Tolstoy
Everything I know I learned from Calvin and Hobbes.
And patience is about the most useful thing you could ever have.  That and backups. : [Unknown]
If I choose to send thee, Tuor son of Huor, then believe not that thy one sword is not worth the sending. : Ulmo, Lord of the Waters - Unfinished Tales, by J.R.R. Tolkien

sniffers

I should pay more attention, I know..

I've noticed that my host is running 4.3.4..  are there any probs known with this?

here is my config:

PHP built On:       FreeBSD netexp.34sp.com [nofollow] 4.9-STABLE FreeBSD 4.9-STABLE #0: Wed Jan i386
Database Version:    3.23.58
PHP Version:    4.3.4
Web Server:    Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2.2510 mod_ssl/2.8.18 OpenSSL/0.9.7d

notice the MySQL is a bit old as well.  What do you recommend I should ask for?   ???

Thx

Tiff

Advertisement: