News:

SMF 2.1.2 has been released! Take it for a spin! Read more.

Main Menu

PHP Vulnerabilities (Critical Update/Patch)

Started by Peter Duggan, December 21, 2004, 07:57:30 PM

Previous topic - Next topic

Peter Duggan

A number of vulnerabilities have been reported in PHP (the language in which SMF is written) which may allow attackers to compromise your site and/or server. While this is not SMF's fault, and indeed affects a huge number of respected PHP programs, patching it by upgrading PHP (the preferred method) or applying our own SMF patch is regarded as a critical update.

To patch these vulnerabilities in PHP completely, you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 or 5.0.3.  However, be aware of a problem some people have encountered after upgrading PHP.

If this is not possible for some reason (or cannot be done immediately), you should download and apply the security patch available in the package manager, or extract and upload the attached zip file (for RC2 - a separate file is available for Charter Members.) The files on the downloads page have already been updated so, if you downloaded them after this post was made, you're fine already.  This patch is not required if your PHP version has been upgraded, although it will not cause any problems if installed.

We're still looking into the repercussions of some of the security holes found, but are committed to dealing with problems of this nature promptly, whatever the cause.

Regards,
Simple Machines

tjay

What are the results if this patch is applied and the host then upgrades?
Will both the patch and .10 play nice together?

David

Quote from: tjay on December 21, 2004, 08:23:00 PM
Will both the patch and .10 play nice together?
Yes, this patch is designed to work fine with upgraded versions of PHP as well. :)
This space for rent.

davon


Jerry



- Jerry
Find me on:
Facebook
Twitter
PlanetSMF

"If all you look for is the negative in things, you will never see the positive."

[darksteel]




Luis "[darksteel]" Alvarado.
Spanish Support
¿Qué es el repair_settings?
No doy soporte por PM, publica tu duda en el foro y tendras respuestas mas rapidas.
My forum:
www.caamboard.com

Rob

I click in the package manager for the patch, and I get: Unable to find package file!

Did I do something wrong?

Rob

davon

got an error too, but grabbed the attached file from Peter's msg above and uploaded the package content via ftp immediatly.

[Unknown]

Quote from: [darksteel] on December 21, 2004, 09:27:57 PM
SMF 1.0 (preview). is vulnerability?

No, a vulnerability in PHP.  But this fixes it, or at least one aspect thereof.

-[Unknown]

packman

Quote from: Peter Duggan on December 21, 2004, 07:57:30 PM
you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 or 5.0.3. 

I thought I'd seen something on this forum suggesting that SMF wasn't officially supported on PHP5 yet. Has that changed now or is my memory playing tricks?
Chris

Jerry



- Jerry
Find me on:
Facebook
Twitter
PlanetSMF

"If all you look for is the negative in things, you will never see the positive."

[Unknown]

PHP 5 is officially supported by SMF ^_^.

-[Unknown]

packman

I must have shorted another brain cell out then ;D
Chris

Villesa

packet manager worked fine, and also my forum is running under php5 and it works great.
You'll get the idea

I'm all ok.

Trekkie101

Sweet update like usual, no troubles at all.   :)

Tristan Perry

 :-[ Ahhh! That's what my host was talking about. 3 of their clients' site's got "cracked" in a night, so they upgraded to PHP 4.3.10! But then they realised that the Zend version was 2.5.5  :-[ Bad day! Ah well it's fixed now, I hope!

AchoHosting

Owner Acho Hosting Solutions
Nicholas R Acho
Email: [email protected]
URL: http://www.achohosting.com

Tom

#17
Hmm, I'm getting this error when I try to install via Package Manager:
There are no installation or uninstallation actions defined!

I've made sure that Packages is chmod'ed right and everything.

I guess I'll just do it the old fashioned way. ;)

Edit: Upgrade went well. I guess uploading two files wasn't that bad. :P

Winters

As the patch wasn't in the package manager, I downloaded it here. Unfortunately, I keep geting this error:
"The package you are trying to upload is invalid or broken". I tried downloading it again  - same results.

[Unknown]

Quote from: Winters on December 22, 2004, 01:33:55 PM
As the patch wasn't in the package manager, I downloaded it here. Unfortunately, I keep geting this error:
"The package you are trying to upload is invalid or broken". I tried downloading it again  - same results.

The file attached to the first post is not a patch that the package manager can deal with.

-[Unknown]

Advertisement: