All users of PHP are strongly encouraged to either upgrade to PHP 4.1.2 (Click here (http://www.php.net/downloads.php)), or install the patch (available for PHP 3.0.18, 4.0.6 and 4.1.0/4.1.1) (Click here (http://www.php.net/downloads.php))

More information on the vulnerabilities is available in my previous post on this topic.

Earlier post here: http://www.security-pro.co.uk/yabb/YaBB.pl?board=osif;action=display;num=1014847709

Javacool:

How's this for action? I have what I think is the best web host around. I've been with DreamHost for 6 years and they have never let me down. Always, always, always putting the customer first, excellent service, packages and plans. But, THIS really impresed me. I received this in my inbox at 5:25 p.m. today (2-28-02):

The following is a Upgrade announcement, sent 2002-02-28 13:56:08.

You are receiving it via email because it is level 2 and
your account is set to get announcements of that level via email.
You can change that by visiting our web panel's announcement
area at:
https://panel.dreamhost.com/?tab=status&subtab=announce

Because of the recent discovery of an exploit in the version of PHP we've been running, PHP was upgraded this morning to the latest version. We should now be immune from any PHP exploits.

We upgraded from PHP 4.0.6 to PHP 4.1.2.

More information on the exploit is available here:
http://www.cert.org/advisories/CA-2002-05.html

Thank you for taking the time to read this announcement.

The DreamHost Announcement Team

Pretty impressive, huh?

John

honestly, anything less would have been unacceptable

Unicron:

You are absolutely right! BUT, there are web hosts all over the country who have not performed the upgrade yet. In fact, I called three colleagues who use other web hosts (I'll leave the names of those hosts out for obvious reasons) and asked them to call their support and ask about this. Of the three, all three had hosts utilizing PHP, said there were no announcements when signing on to their control panels. One actually had to talk to the president of the company who said he was unaware of the upgrade to 4.1.2 OR THE AVAILABILITY PATCH!

You are so right, what DreamHost did the same day it was released is exactly what should be expected by the customer and anything less is unacceptable. I was praising DreamHost really for the speed in which they did it, their being on top of these matters and not just for doing it, as you are so right, anything less is not only unacceptable but says a lot about web hosts who have not made the upgrade, or at least installed the patch. Anyone using a PHP-powered web host provider, it's worth a call concerning this, it's a perfect test to see how vigelant they are about security.

John

Speed is good, but you ARE paying them to do something for you that you cannot do yourself (or don't want the headaches of). If they can't do it, find someone who can. Anybody can run a webhosting company poorly, and that is not worth paying for. Once I had to call a webhost on behalf of a client to inform them that I could read the administrative passwords for their SQL Server databases, and any server-side code in their webpages (via the infamous +.htr vunerability). They had no idea that MS maintains a hotfix site for server admins. Inexcusable! They are paid to know these things. How lucky they are that I helped them fix this before someone did any damage (like steal credit card numbers) It showed that these people are amatures, and have no business hosting websites. These companies should bear some responsibility for their own security, but unfortunately most do not.

-{ Quote: "Speed is good, but you ARE paying them to do something for you that you cannot do yourself (or don't want the headaches of). If they can't do it, find someone who can. Anybody can run a webhosting company poorly, and that is not worth paying for. Once I had to call a webhost on behalf of a client to inform them that I could read the administrative passwords for their SQL Server databases, and any server-side code in their webpages (via the infamous +.htr vunerability). They had no idea that MS maintains a hotfix site for server admins. Inexcusable! They are paid to know these things. How lucky they are that I helped them fix this before someone did any damage (like steal credit card numbers) It showed that these people are amatures, and have no business hosting websites. These companies should bear some responsibility for their own security, but unfortunately most do not.
" }-

If I had such a thing happen with a webhost I was sending my money to (supposedly for them to maintain my site) I would take my business elsewhere.

I also agree with your point on response speed - it should only be EXPECTED that the webhosting companies update their servers to protect against the latest vulnerabilities. Again, anything less, and I would take my business elsewhere.

Amazing, Unicron. It makes you wonder what in the world people are doing when they think they can run a business in which they don't know such basic information.

And Javacool, like I wrote to Unicron, it is something that should just be expected. But, as you said, when you are putting it all into the hands of someone else, you have to have a measure of trust. You know, I've never thought of this before because I've been with DreamHost for so long; but I think a good question for anyone concerned with security is to ask a potential WH provider several questions - Who is in charge of security? What are their credentials? Even ask for an email from the responsible individual to give you a "sales pitch" on their commitment *to the security of your site. The response to the questions and the willingness to respect your concerns could go a long way toward telling you if you want your site hosted with that company.

The weekend is here! It's been a looonnng week. Tracy has laryingitis and couldn't work, or cook, all week and it's been like batchin it! Makes me realize you can't take the things a wife does everyday for granted. She's a jewel.

John



John

Hi John,

Best wishes for Tracy !

Jan.