This month March? many exploits now popping up and some 0day sploits are still hidding. Even how updated your php powered application like WordPress, Joomla and others if your PHP version in your Linux and *BSD servers is way behind stable releases your hosting box is still vulnerable for compromise and mass-defacements.

Like PHP 4 – phpinfo() XSS Testcase  where to manually test for this vulnerability just call the phpinfo() page with a parameter like this.

http://localhost/phpinfo.php?a[]=<script>alert(/XSS/);</script>

So if you maintain a server for a webhosting running outdated PHP version do update fast!. Theres so many ways to exploit your server from local or remotely as exploits script widely available in internet like in milw0rm (i miss the old days of hack.co.za *sigh*).

I’m planning to feature some exploits and how to use it or go around with the vulnerability but still awkward posting since i still thinking of legal consequences. Its for reason that we should be aware and keep the lazy network/system administrator working his/her butts off.

This month will be for PHP that recently release it’s PHP 4.4.6. Heres the Security Enchancements and fixes in PHP 5.2.1 and PHP 4.4.5:

  • Fixed possible safe_mode & open_basedir bypasses inside the session extension.
  • Fixed unserialize() abuse on 64 bit systems with certain input strings.
  • Fixed possible overflows and stack corruptions in the session extension.
  • Fixed an underflow inside the internal sapi_header_op() function.
  • Fixed non-validated resource destruction inside the shmop extension.
  • Fixed a possible overflow in the str_replace() function.
  • Fixed possible clobbering of super-globals in several code paths.
  • Fixed a possible information disclosure inside the wddx extension.
  • Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
  • Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() functions.
  • Fixed a string format vulnerability inside the odbc_result_all() function.

If your site gets defaced because of being lazy like me don’t rant like i do! lols! I have some issues with hosting before when my sites get defaced.

Mass hunting for servers with PHP Bugs? i don’t … im lazy now unlike before that i’m aggressive for the love of IRC drone bots. LOL.