Vulnerability Development mailing list archives

Re: Rumours about Apache 1.3.22 exploits

From: Mike Tone <simpletone () mbox com au>
Date: Tue, 26 Feb 2002 13:15:44 +1100

One quick thing we should get straight... 

PHP has problems, on the win32 platform (apache 1.3.x)...

but on *nix as well??  

--snip-from-bugware
PHP for windows arbitrary files execution (feb2002)

SYSTEMS AFFECTED
PHP version 4.1.1 under Windows
PHP version 4.0.4 under Windows
        
PROBLEM
CompuMe and RootExtractor posted :

An attacker can upload innocent looking files  (with  mp3,  txt  or  gif
extensions) through any uploading systems such as  WebExplorer  (or  any
other PHP program that has uploading  capabilities),  and  then  request
PHP to execute it.
--snap


as for bind issues (i have nfi), blame non-disclosure.


---------------------------------------------------------------------
Never lose a fax again, receive faxes to your personal email account!
Visit http://www.mbox.com.au/fax

Current thread:

Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 24)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Feb 25)
  - RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
    - RE: Rumours about Apache 1.3.22 exploits Nico Wieland (Feb 26)
- Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 25)
  - php update (was Re: Rumours about Apache 1.3.22 exploits) Christopher McCrory (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Brandon (Feb 25)
- <Possible follow-ups>
- RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
- Re: Rumours about Apache 1.3.22 exploits Mike Tone (Feb 26)
- RE: Rumours about Apache 1.3.22 exploits Spare Cycles (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Olaf Kirch (Feb 27)
  - Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 27)