phpwebsite-developers

Re: [Phpwebsite-developers] Serious issue

[Jim W. <spi...@us...>]

> From: Brady Bellinger
> 
> Are sites that only allow trusted, registered users also affected by
this issue?
> To my knowledge our site does not allow anonymous users to submit
announcements.
> 
> Thanks,
> 
> Brady

Hi Brady,

That might make a little bit of difference,  but this is serious enough
that you should do 
the patch.  If you are running and older version or have a heavily
modified installation, 
just add the new code in index.php to your index.php.

Also do not be fooled by comments such as "normally only apache/nobody
user access is attained".  
Such access is the first step of almost all breakins as it gives enough
access to run a privelege escallation exploit.

I would like to hear some other opinions on this as well, but that's
currently my take on 
the situation.

Best regards,

Jim Wilson

Re: [Phpwebsite-developers] Serious issue

[Brady B. <bra...@gm...>]

Thanks.  I patched my site.  I had originally sent out this question
before a patch was issued...not sure why it's just showing up now.

Thanks again,

Brady


On Wed, 02 Mar 2005 11:31:55 -0500, Jim Wilson
<spi...@us...> wrote:
> > From: Brady Bellinger
> >
> > Are sites that only allow trusted, registered users also affected by
> this issue?
> > To my knowledge our site does not allow anonymous users to submit
> announcements.
> >
> > Thanks,
> >
> > Brady
> 
> Hi Brady,
> 
> That might make a little bit of difference,  but this is serious enough
> that you should do
> the patch.  If you are running and older version or have a heavily
> modified installation,
> just add the new code in index.php to your index.php.
> 
> Also do not be fooled by comments such as "normally only apache/nobody
> user access is attained".
> Such access is the first step of almost all breakins as it gives enough
> access to run a privelege escallation exploit.
> 
> I would like to hear some other opinions on this as well, but that's
> currently my take on
> the situation.
> 
> Best regards,
> 
> Jim Wilson
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Phpwebsite-developers mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers
> 


-- 
To send me encrypted email or verify my signature, my public key is
available <a href="http://bradybellinger.com/brady.asc">here</a>.