Niki schreef: > Thijs Lensselink ha scritto: >> Niki wrote: >>> Hi all, >>> >>> I'm using PHP 5.2.9 on a Windows dedicated server. Could you kindly >>> confirm me that I have to update to PHP 5.2.9-1 >>> (http://www.php.net/archive/2009.php#id2009-03-10-1) only if I have >>> "curl" extension enabled (extension=php_curl.dll in php.ini) ? >> >> Well nobody forces you to upgrade. But it would be wise. Now the bug in >> curl is still fresh in your mind. But if you forget and decide to enable >> it later. Big chance you vulnerable to some sort of attack. > (...) > > However, do you confirm that the vulnerability (with ext/curl activated) > is exploitable running a "malicious" php script only? The attacker needs > to upload to the server that uses the extension libcurl a php page that > uses CURLOPT_FOLLOWLOCATION, isn't it? > If FTP access is correctly protected and the other applications on the > server do not allow uploading the "malicious" php script is not > possibile to make an attack, even if libcurl is enabled. Is it correct? essentially, yes. note that if someone can upload a script and run it, a bug in curl in the least of your worries. you have already been owned. the curl issue is more pertinent to situations where one is using curl with CURLOPT_FOLLOWLOCATION (which seems like you'd want to use it normally) and an attacker has some idea about how to be on the receiving end of the curl call ... there by allowing them to make your curl call eat some nasty url (which may cause you to disclose sensitive info the the callee, that was intended, for example, for a ligitemate webservice ... at least that's the way I understand it (hopefully someone will correct me if I've got my wires crossed) P.S. please use a valid email address. > Thank you! > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php