Owners of PHP powered websites URGED to upgrade...

Discussion in 'other security issues & news' started by javacool, Feb 28, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    All users of PHP are strongly encouraged to either upgrade to PHP 4.1.2 (Click here), or install the patch (available for PHP 3.0.18, 4.0.6 and 4.1.0/4.1.1) (Click here)

    More information on the vulnerabilities is available in my previous post on this topic.
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
  3. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Re: Owners of PHP powered websites URGED to upgrad

    Javacool:

    How's this for action? I have what I think is the best web host around. I've been with DreamHost for 6 years and they have never let me down. Always, always, always putting the customer first, excellent service, packages and plans. But, THIS really impresed me. I received this in my inbox at 5:25 p.m. today (2-28-02):

    The following is a Upgrade announcement, sent 2002-02-28 13:56:08.

    You are receiving it via email because it is level 2 and
    your account is set to get announcements of that level via email.
    You can change that by visiting our web panel's announcement
    area at:
    [link]https://panel.dreamhost.com/?tab=status&subtab=announce[/link]

    Because of the recent discovery of an exploit in the version of PHP we've been running, PHP was upgraded this morning to the latest version. We should now be immune from any PHP exploits.

    We upgraded from PHP 4.0.6 to PHP 4.1.2.

    More information on the exploit is available here:
    [link]http://www.cert.org/advisories/CA-2002-05.html[/link]

    Thank you for taking the time to read this announcement.

    The DreamHost Announcement Team


    Pretty impressive, huh?

    John
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re: Owners of PHP powered websites URGED to upgrad

    honestly, anything less would have been unacceptable
     
  5. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Re: Owners of PHP powered websites URGED to upgrad

    Unicron:

    You are absolutely right! BUT, there are web hosts all over the country who have not performed the upgrade yet. In fact, I called three colleagues who use other web hosts (I'll leave the names of those hosts out for obvious reasons) and asked them to call their support and ask about this. Of the three, all three had hosts utilizing PHP, said there were no announcements when signing on to their control panels. One actually had to talk to the president of the company who said he was unaware of the upgrade to 4.1.2 OR THE AVAILABILITY PATCH!

    You are so right, what DreamHost did the same day it was released is exactly what should be expected by the customer and anything less is unacceptable. I was praising DreamHost really for the speed in which they did it, their being on top of these matters and not just for doing it, as you are so right, anything less is not only unacceptable but says a lot about web hosts who have not made the upgrade, or at least installed the patch. Anyone using a PHP-powered web host provider, it's worth a call concerning this, it's a perfect test to see how vigelant they are about security.

    John
     
  6. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re: Owners of PHP powered websites URGED to upgrad

    Speed is good, but you ARE paying them to do something for you that you cannot do yourself (or don't want the headaches of). If they can't do it, find someone who can. Anybody can run a webhosting company poorly, and that is not worth paying for. Once I had to call a webhost on behalf of a client to inform them that I could read the administrative passwords for their SQL Server databases, and any server-side code in their webpages (via the infamous +.htr vunerability). They had no idea that MS maintains a hotfix site for server admins. Inexcusable! They are paid to know these things. How lucky they are that I helped them fix this before someone did any damage (like steal credit card numbers) It showed that these people are amatures, and have no business hosting websites. These companies should bear some responsibility for their own security, but unfortunately most do not.
     
  7. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re: Owners of PHP powered websites URGED to upgrad

    If I had such a thing happen with a webhost I was sending my money to (supposedly for them to maintain my site) I would take my business elsewhere.

    I also agree with your point on response speed - it should only be EXPECTED that the webhosting companies update their servers to protect against the latest vulnerabilities. Again, anything less, and I would take my business elsewhere.
     
  8. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Re: Owners of PHP powered websites URGED to upgrad

    Amazing, Unicron. It makes you wonder what in the world people are doing when they think they can run a business in which they don't know such basic information.

    And Javacool, like I wrote to Unicron, it is something that should just be expected. But, as you said, when you are putting it all into the hands of someone else, you have to have a measure of trust. You know, I've never thought of this before because I've been with DreamHost for so long; but I think a good question for anyone concerned with security is to ask a potential WH provider several questions - Who is in charge of security? What are their credentials? Even ask for an email from the responsible individual to give you a "sales pitch" on their commitment  to the security of your site. The response to the questions and the willingness to respect your concerns could go a long way toward telling you if you want your site hosted with that company.

    The weekend is here! It's been a looonnng week. Tracy has laryingitis and couldn't work, or cook, all week and it's been like batchin it! Makes me realize you can't take the things a wife does everyday for granted. She's a jewel.

    John



    John
     
  9. FanJ

    FanJ Guest

    Re: Owners of PHP powered websites URGED to upgrad

    Hi John,

    Best wishes for Tracy !

    Jan.
     
Loading...
Thread Status:
Not open for further replies.