New PHP Critical Flaw found

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
mattdpeterson
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Fri Aug 19, 2005 7:01 am
Location: Atlanta, GA

New PHP Critical Flaw found

Post by mattdpeterson » Thu Aug 25, 2005 7:36 pm

hey guys, anyone know what the impact of this vulnerability is on $ambo

http://www.theinquirer.net/?article=25697

What would the impact to mambo be to using the hardened PHP out there?

User avatar
mattdpeterson
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Fri Aug 19, 2005 7:01 am
Location: Atlanta, GA

Re: New PHP Critical Flaw found

Post by mattdpeterson » Thu Aug 25, 2005 7:38 pm

doing a quick seach on the core code, the only file I find that uses eval() is the geshi mambot

de
Joomla! Ace
Joomla! Ace
Posts: 1477
Joined: Thu Aug 18, 2005 9:06 am
Contact:

Re: New PHP Critical Flaw found

Post by de » Thu Aug 25, 2005 7:57 pm

The problem is not using eval per-se I'd say... but using it wrong...
Anyway If I understand it correctly it is a late report of a not so new security report:
http://www.hardened-php.net/advisory_142005.66.html

See also:
http://forum.mamboserver.com/showthread.php?t=51129

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: New PHP Critical Flaw found

Post by masterchief » Thu Sep 01, 2005 4:45 am

The problem revealed itself in the PEAR XML-RPC library.  We use a different one (phew), but de is right.  Any inbuilt function can be abused if mis-used by the programmer.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Locked

Return to “Security - 1.0.x”