[PHP-users 3605] Re: PHPでメールの自動返信はできますか?
Masashi Ohba
php-users@php.gr.jp
Fri, 16 Nov 2001 16:08:43 +0900
大場です。
桝形 誠二 wrote;
>穴とは具体的にはどんな内容なのでしょうか。
>ご存知でしたらお教え願いますでしょうか?
Changelogを見てもえらい昔の話なので、
October 21, 2000, Version 3.0.18
October 11, 2000, Version 3.0.17
April 05, 2000, Version 3.0.16
February 25, 2000, Version 3.0.15
January 11, 2000, Version 3.0.14
January 1, 2000, Version 3.0.13
July 28, 1999, Version 3.0.12
正直、それっぽい記述が読み取れませんでした
ただ、バージョンはうろ覚えですがどこかで入れ替えを
recommendしてたような記憶がかすかに。
ただ、FreeBSDのportsのSecurity Advisory中に
引用ここから----------
Topic: mod_php3/mod_php4 allows remote code execution
Category: ports
Module: mod_php3/mod_php4
Announced: 2000-11-20
Credits: Jouko Pynn・en <jouko@SOLUTIONS.FI>
Affects: Ports collection prior to the correction date.
Corrected: 2000-10-12 (mod_php4), 2000-10-18 (mod_php3)
Vendor status: Updated version released
FreeBSD only: NO
I. Background
php is a commonly used HTML-embedded scripting language.
II. Problem Description
The mod_php ports, versions prior to 3.0.17 (mod_php3) and 4.0.3
(mod_php4), contain a potential vulnerablilty that may allow a
malicious remote user to execute arbitrary code as the user running
the web server, typically user 'nobody'. The vulnerability is due to
a format string vulnerability in the error logging routines.
A web server is vulnerable if error logging is enabled in php.ini.
Additionally, individual php scripts may cause the web server to be
vulnerable if the script uses the syslog() php function regardless of
error logging in php.ini.
引用ここまで----------
ということがあったので、そっちの記憶かもしれません。
------------------------------------------------------------
大場正志(Masashi Ohba)
E-Mail ohba@intelight.co.jp
(株) インテライト
http://www.intelight.co.jp
------------------------------------------------------------