James

[vaughan]

there's a new version of PHP released version 4.3.10 and any1 using a version below that is advised to upgrade immediately due to a number of discovered security issues.

 

the main issues are:

 

These include the following:

 

CAN-2004-1018 - shmop_write() out of bounds memory write access.

CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.

CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.

CAN-2004-1020 - addslashes() not escaping \0 correctly.

CAN-2004-1063 - safe_mode execution directory bypass.

CAN-2004-1064 - arbitrary file access through path truncation.

CAN-2004-1065 - exif_read_data() overflow on long sectionname.

magic_quotes_gpc could lead to one level directory traversal with file uploads.

 

 

what this means basically is that sites using certain scripts, mainly vbulletin, invision & phpbb are vulnerable to attacks from mysql injection on a server wide basis. even though your site may not be vulnerable as it doesn't use those functions above, it doesn't stop this bug as any other site hosted on the same servers your site are on can easily be affected and could take your site down too..

 

with that in mind, there's a new worm going round exploiting this vulnerability by injecting and running a perl script which allows the virus to traverse server directories whether safe mode is enabled or not. the worm searches the server for world writable files (chmod 666 & 777) it then overwrites them all with a defacement message.. and ur site is unusable till u replace all the deleted files..

 

This is not a HOAX either i myself have been on the phone doin tech support and having conversations with the host of the sites i have created for other people all day long.

 

there is nothin you can do as a user, other than inform your server hosts and get them to upgrade asap.. also note that due to incompatibilities between versions, when upgrading make sure they also upgrade zend optimizer or you'll find your site will no longer function correctly..

 

thought i'd let u know just in case

 

regards all & Merry Xmas

 

Vaughan

[James]

Vaughan,

 

Cheers for that - I am hoping to have a bit of time over xmas to upgrade the board and possibly PHP etc. but its all dependant on work I'm afraid and exactly how much spare time I will have in order to carry this out (currently not looking good!)

[Dani Babyboo]

cant no1 else do it for u if they know what they are doin and have time

 

we do not want to lose the site

[James]

hey dani - site is perfectly safe hun ! lol

 

Hope to see you out over xmas Dani ???

[Dani Babyboo]

hey alls cool and no not clubbing till next year now

even though my dad has just said he wants shay on new years eve GET IN

i am jus gona go out with my bf to a club in leamington and get drunk

i cant afford travel and the price of clubbin on a new years eve when ive just bought 200 quids worth of presents for my kids lmao

 

will defo sort summat in new year i fancy 2 nites lol rocket club or wildchild in feb