The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dangerous security hole in php 4.4.2

Discussion in 'Security' started by naguib2000, Jun 12, 2006.

  1. naguib2000

    naguib2000 Member

    Joined:
    May 12, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys , i think most of you have heared about the security issue in php regarding the COPY function , which allow any one to run a script and by path safemode restrictions ..

    Many of our sites have been hacked 2 weeks ago because of this threat ..

    My question is .... how to over come this problem keeping working with 4.4.2 ( i dont want to upgrade to version 5 )

    and another question : I see in php website that the version 4.4.2 has recovered this problem , but in the development version , and they write also beside it the word "stable"

    Is there a way i can update the php with this dev version , without making bad interference with cpanel system ??

    and also is there a way i can let easy apache to do the update using this specified dev version ??

    thank you
    and regards
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This is really more of an issue with the PHP developers than the CPanel developers, but it is worth noting.

    This bug was disclosed on April 10th, and yet the PHP developers still have not released a fix for this. This should be fixed in PHP 4.4.3, but the PHP developers do not appear to be in any hurry to release it.

    4.4.3 was released as RC1 back on May 22nd. According to the mailing list post, if there were no issues with RC1 then 4.4.3 would be released on May 30th. If there were issues with RC1, then they would be addressed and an RC2 would be released. Neither 4.4.3 or RC2 has been released, it still seems to be stuck on RC1.

    I am left to assume that the PHP developers are moving slow with the PHP4 tree in an effort to speed along to transition to PHP5. We are still running PHP4, with plans to perhaps move to PHP5 later this year, assuming we can get some other upgrades accomplished. So we are still anxiously awaiting the release of 4.4.3.

    You can find PHP 4.4.3RC1 at:

    http://downloads.php.net/derick/

    I have not tried to install it on any of servers (still thinking that 4.4.3 Final will be released any day) but I don't see why there would be any problems installing it.
     
  3. naguib2000

    naguib2000 Member

    Joined:
    May 12, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    thank you sparek for your reply

    but i was wondering , how can i install 4.4.2 development version to the system , because i am sure it is clean of this threat??

    will i use easyapache ? or compile php alone without the need to upgrade apache ? or what exactly :)
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You would have to manually compile PHP, without easyapache. To be honest, if you do not feel comfortable doing this, then I would not really recommend this route.

    I did try testing a CVS snapshot of PHP, not exactly sure what snapshot I used, but it was in the 4.4.3 development tree. I tried it against this bug and it does appear to be fixed. So I am assuming that this is fix in the final version of 4.4.3. That was several weeks ago that I installed that, if I'd known it would be taking this long for the PHP developers to release 4.4.3, then I would have installed it on all of our servers. But right now, I'm thinking that 4.4.3 has to be just around the corner. But I will say that I am not very impressed with the way PHP developers handled this bug and the release of a fix for this bug.
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Just a note, I don't agree that ability to bypass safemode restrictions is a serious bug.

    If safemode is all that's keeping your server secure, you're in serious trouble ...

    Sure, safemode should be fixed. But also fix your server security so safemode is not something you rely on for security. For instance, check out mod_security, an Apache security filter module you should be running with...
     
  6. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    I think if you are serious about fixing this, then you have no other option than to upgrade to php5 until a patch is released. If you'd really rather not, you'll simply be a sitting duck I suppose.
     
Loading...

Share This Page