LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Scripting flaw threatens Web servers (News.com)

[Posted July 22, 2002 by cook]

News.com looks into recent PHP security vulnerabilities. "A flaw found in newer versions of the PHP Web server scripting language could allow attackers to crash, and in some cases control, computers over the Internet, an open-source developer group announced Monday. The vulnerability affects versions 4.2.0 and 4.2.1 of PHP, according to the PHP Group."

Please also see the LWN.net vulnerability report. In particular, almost every Linux distributor appears to ship older (and thus not vulnerable) versions of PHP.

(Log in to post comments)

lwn.net uses php 4.0.6

Posted Jul 22, 2002 21:25 UTC (Mon) by dananderson (guest, #905) [Link]

I find it intersting lwn.net uses Apache and PHP software about a year or more old, with multiple security problems: 
 $ telnet lwn.net 80   
Trying 66.216.68.48...
Connected to lwn.net (66.216.68.48).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 22 Jul 2002 21:21:32 GMT
Server: Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_python/2.7.3 Python/2.1.2 PHP/4.0.6
X-Powered-By: PHP/4.0.6
. . .

lwn.net uses php 4.0.6

Posted Jul 22, 2002 21:31 UTC (Mon) by corbet (editor, #1) [Link]

Do bear in mind that the version number reported tells you little about what patches may have been applied...

*Another* hole?

Posted Jul 23, 2002 9:29 UTC (Tue) by job (guest, #670) [Link]

Perhaps this is a good time to look for alternatives to PHP?

*Another* hole?

Posted Jul 23, 2002 11:04 UTC (Tue) by gonkgonk (guest, #281) [Link]

Yeah, none of the other scripting languages is bound to have any security flaws.

*Another* hole?

Posted Jul 23, 2002 21:39 UTC (Tue) by strombrg (guest, #2178) [Link]

Actually, PHP seems to be fairly security-problem-prone. You have to disable functionality that most PHP code assumes you have, in order to get a subset that doesn't make it too easy to shoot yourself in the foot. So if you plan on code resuse with PHP, don't plan on your code being especially secure.

*Another* hole?

Posted Jul 25, 2002 20:34 UTC (Thu) by JLCdjinn (subscriber, #1905) [Link]

Could you please elaborate (or point me in the direction of a resource) on what functionality needs to be turned off in order to bring more security to PHP? I'm just curious to know about how the portability might be hindered, and plan for it accordingly.

Thanks much,

John

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds