Thijs Lensselink ha scritto:
Niki wrote:
Hi all,
I'm using PHP 5.2.9 on a Windows dedicated server. Could you kindly
confirm me that I have to update to PHP 5.2.9-1
(http://www.php.net/archive/2009.php#id2009-03-10-1) only if I have
"curl" extension enabled (extension=php_curl.dll in php.ini) ?
Well nobody forces you to upgrade. But it would be wise. Now the bug in
curl is still fresh in your mind. But if you forget and decide to enable
it later. Big chance you vulnerable to some sort of attack.
(...)
However, do you confirm that the vulnerability (with ext/curl activated)
is exploitable running a "malicious" php script only? The attacker needs
to upload to the server that uses the extension libcurl a php page that
uses CURLOPT_FOLLOWLOCATION, isn't it?
If FTP access is correctly protected and the other applications on the
server do not allow uploading the "malicious" php script is not
possibile to make an attack, even if libcurl is enabled. Is it correct?
Thank you!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php