Simone Klassen writes "The Hardened-PHP Project (http://www.hardened-php.net/) has announced (http://www.hardened-php.net/advisories/012004.txt) several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade (http://www.php.net/downloads.php) now."

Thanks. I wouldn't have known otherwise.
And I just upgraded to 4.3.9 only 1 week before this new update. I wasn't planning on checking for updates again until around Feb.

Somone should make a mailing list that only does messages about updates much as this one. The php mailing list as well as the freebsd ones are so full of general chatter I often miss important ones like this post if it wasnt for it being on an otherwise quiet forum. I don't check forums often enough by my email is something I check frequently but not enough time to read every single messages from every single mailinglist I subscribe.

I keep seeing servers lately getting exploited with the previously mentioned PHP vulnerability and DoS'ing with a lot of Mbps. I just blocked a server that started a 90+ Mbps DoS (server owner hadn't even noticed it yet).

I strongly recommend everyone to upgrade your server's PHP to the latest version:
PHP4 web servers should get upgraded to 4.3.10 or latest
PHP5 web servers should get upgraded to 5.0.3 or latest

If you're currently using PHP4, you don't have to upgrade to PHP5 as this may break applications' compatibility on your server and you just have to upgrade your PHP to the latest 4.xx version (currently 4.3.10) that should be absolutely harmless.

For more information, you may visit these URLs:
http://isc.sans.org/diary.php?date=2004-12-17
http://www.hardened-php.net/advisories/012004.txt
http://news.com.com/Net+worm+using+Google+to+spread/2100-7349_3-5499725.html
http://money.cnn.com/services/tickerheadlines/djh/200412211603DOWJONESDJONLINE000746.htm

On a side note, its known that, two php ( system php and Cpanel internal php) are on ur system IF u have cpanel. So when u update ur system to php4.3.10, ur Cpanel will show you 4.3.9 ( i believe) since its cpanel internal php. Doing php --version in ssh prompt will post u system php version

mikron15, that happens with most controlpanels (not just cPanel). However, what it really matters is the version that your web daemon (ie apache) uses and the best way to find out is using phpinfo on an new php file that will just have this command: <? phpinfo(); ?> and then just view the webpage with your browser ;)

True, i just wanted others to know tho..or else they will start freaking out when they see 2 diff php versions after they upgraded lol

yea i noticed that problem and used the phpinfo to see correctly what version was running just to be 100% sure :rolleyes: