Tag Archives: Security

PHP 5.4.3 and PHP 5.3.13 released – important security fix for php cgi

May 11, 2012 5:45 pm /

If you are running php-cgi, there is a major vulnerability that will allow attackers to view and run PHP source code on your site.

Resources on the vulnerability:
http://blog.spiderlabs.com/2012/05/honeypot-alert-active-exploit-attempts-for-php-cgi-vuln.html
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ 

  • Many nginx setups use php-cgi, so it is critical to patch PHP to the latest version or apply the recommended fixes through Apache Rewrite.
  • Mod_php and php-fpm systems are not vulnerable to this attack. Most Apache web server setups use the mod_php method for PHP.

Read More →

Posted in: PHP / Tagged: ,

CodeIgniter 1.7.2 Security Patch

August 14, 2010 1:33 am /

If you are running CodeIgniter 1.7.2, there is a security flaw with the file upload class. (fixed on July 12, 2010)  The easiest way to install the patch is to use the standalone patch http://codeigniter.com/download_files/CI_1.7.2_201007_sec_patch.zip and unzip the file to the Code Igniter system/libraries folder.

Posted in: Frameworks, PHP / Tagged: ,

VMWARE Server 2.02 Update

November 13, 2009 2:29 pm /

VMWARE Server 2.02 has been released October 27, 2009. It includes a few important security updates for VMWARE Server. If you are running a Linux server with VMWARE server 2.01, I strongly suggest to upgrade due to the “Directory Traversal Vulnerability” — which may allow for remote retrieval of any file from the host system.

Security Fixes with VMWARE 2.02

  • New: Exception handling privilege escalation on Guest Operating System This release addresses a security vulnerability in exception handling. Improper setting of the exception code on page faults might allow for local privilege escalation on the guest. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2267 to this issue.

  • New: Directory Traversal Vulnerability on Linux-based hosts This release addresses a directory traversal vulnerability that is present on host systems and that may allow for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides. The issue is present on Linux-based hosts only, not on Windows-based hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3733 to this issue.

There’s a number of workarounds listed in the VMWARE Server 2.02 Release notes

Download the latest version of VMware Server 2

Posted in: VMWARE / Tagged: ,

WordPress 2.8.2 Released

July 22, 2009 12:11 pm /

WordPress 2.8.2 has been released. This affects both WordPress and WordPress MU. I recommend upgrading your current version since it contains a security fix.

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.

For more details, visit:
http://wordpress.org/development/2009/07/wordpress-2-8-2/

You can automatically upgrade WordPress within your control panel, or manually upgrade via:
http://wordpress.org/download/

WordPress MU download:
http://mu.wordpress.org/download/

Posted in: PHP / Tagged: ,