Dangerous security hole in php 4.4.2

[naguib2000]

Hi guys , i think most of you have heared about the security issue in php regarding the COPY function , which allow any one to run a script and by path safemode restrictions ..

Many of our sites have been hacked 2 weeks ago because of this threat ..

My question is .... how to over come this problem keeping working with 4.4.2 ( i dont want to upgrade to version 5 )

and another question : I see in php website that the version 4.4.2 has recovered this problem , but in the development version , and they write also beside it the word "stable"

Is there a way i can update the php with this dev version , without making bad interference with cpanel system ??

and also is there a way i can let easy apache to do the update using this specified dev version ??

thank you
and regards

 

[sparek-3]

This is really more of an issue with the PHP developers than the CPanel developers, but it is worth noting.

This bug was disclosed on April 10th, and yet the PHP developers still have not released a fix for this. This should be fixed in PHP 4.4.3, but the PHP developers do not appear to be in any hurry to release it.

4.4.3 was released as RC1 back on May 22nd. According to the mailing list post, if there were no issues with RC1 then 4.4.3 would be released on May 30th. If there were issues with RC1, then they would be addressed and an RC2 would be released. Neither 4.4.3 or RC2 has been released, it still seems to be stuck on RC1.

I am left to assume that the PHP developers are moving slow with the PHP4 tree in an effort to speed along to transition to PHP5. We are still running PHP4, with plans to perhaps move to PHP5 later this year, assuming we can get some other upgrades accomplished. So we are still anxiously awaiting the release of 4.4.3.

You can find PHP 4.4.3RC1 at:

http://downloads.php.net/derick/

I have not tried to install it on any of servers (still thinking that 4.4.3 Final will be released any day) but I don't see why there would be any problems installing it.

 

[naguib2000]

thank you sparek for your reply

but i was wondering , how can i install 4.4.2 development version to the system , because i am sure it is clean of this threat??

will i use easyapache ? or compile php alone without the need to upgrade apache ? or what exactly

 

[sparek-3]

You would have to manually compile PHP, without easyapache. To be honest, if you do not feel comfortable doing this, then I would not really recommend this route.

I did try testing a CVS snapshot of PHP, not exactly sure what snapshot I used, but it was in the 4.4.3 development tree. I tried it against this bug and it does appear to be fixed. So I am assuming that this is fix in the final version of 4.4.3. That was several weeks ago that I installed that, if I'd known it would be taking this long for the PHP developers to release 4.4.3, then I would have installed it on all of our servers. But right now, I'm thinking that 4.4.3 has to be just around the corner. But I will say that I am not very impressed with the way PHP developers handled this bug and the release of a fix for this bug.

 

[brianoz]

Just a note, I don't agree that ability to bypass safemode restrictions is a serious bug.

If safemode is all that's keeping your server secure, you're in serious trouble ...

Sure, safemode should be fixed. But also fix your server security so safemode is not something you rely on for security. For instance, check out mod_security, an Apache security filter module you should be running with...

 

[cooldude7273]

I think if you are serious about fixing this, then you have no other option than to upgrade to php5 until a patch is released. If you'd really rather not, you'll simply be a sitting duck I suppose.