PHP Vulnerabilities (Critical Update/Patch)

Fizzy · February 14, 2005, 08:34:35 AM

Well I would have thought that the most urgent would be an upgrade to PHP 4.3.10 together with the required Zend upgrade

forumite · March 02, 2005, 05:09:04 PM

What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.

TIA

Tom

[Unknown] · March 02, 2005, 05:11:55 PM

Quote from: rvforumite on March 02, 2005, 05:09:04 PM
What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.

It doesn't matter.

Why chmod 777 is NOT a security risk

-[Unknown]

MrFlicks · March 30, 2005, 07:56:08 AM

Quote from: Peter Duggan on December 21, 2004, 07:57:30 PM
A number of vulnerabilities have been reported in PHP (the language in which SMF is written) which may allow attackers to compromise your site and/or server. While this is not SMF's fault, and indeed affects a huge number of respected PHP programs, patching it by upgrading PHP (the preferred method) or applying our own SMF patch is regarded as a critical update.

To patch these vulnerabilities in PHP completely, you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 or 5.0.3. However, be aware of a problem some people have encountered after upgrading PHP.

If this is not possible for some reason (or cannot be done immediately), you should download and apply the security patch available in the package manager, or extract and upload the attached zip file (for RC2 - a separate file is available for Charter Members.) The files on the downloads page have already been updated so, if you downloaded them after this post was made, you're fine already. This patch is not required if your PHP version has been upgraded, although it will not cause any problems if installed.

We're still looking into the repercussions of some of the security holes found, but are committed to dealing with problems of this nature promptly, whatever the cause.

Regards,
Simple Machines

Would I still need this say for TVWorlds.com or is this concerning an earlier version?

Trekkie101 · March 30, 2005, 08:00:18 AM

no

MrFlicks · March 30, 2005, 10:22:13 AM

Cool TY

paulanator · January 12, 2007, 01:17:18 AM

Thanks for the updates, my site was hacked too.

Gary · January 12, 2007, 10:50:15 AM

This topic hasnt been posted in for nearly two years...

This patch was for 1.0 RC2. It is included by default..

-AwwLilMaggie

SBGamesCone · January 26, 2007, 12:55:50 PM

Quote from: AwwLilMaggie on January 12, 2007, 10:50:15 AM
This topic hasnt been posted in for nearly two years...

This patch was for 1.0 RC2. It is included by default..

-AwwLilMaggie

Is there a new vulnerability that is out and being exploited?

http://www.surmunity.com/showthread.php?p=232560#post232560 [nofollow]

Fizzy · January 26, 2007, 03:20:06 PM

What makes him think SMF is to blame? The fact that wordpress was compromised make me suspect that this is not SMF related at all.

I find it quite invidious when people claim "SMF hacked" without even producing a single piece of evidence to show that it was to blame.

News:

PHP Vulnerabilities (Critical Update/Patch)