Context Navigation

← Previous Change
Ticket History
Next Change →

Changes between Initial Version and Version 3 of Ticket #427

Timestamp:: 02/17/2007 04:50:59 PM (6 years ago)
Author:: JavaWoman
Comment:

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #427
- Property type changed from defect to enhancement

Ticket #427 – description

initial	v3
1		In November 2006, a "'''highly critical'''" (Secunia, see {{{[3]}}}) vulnerability in PHP's handling of '''htmlentities()''' and '''htmlspecialchars()''' was announced (see refs) and fixed by PHP in release 5.2; the [http://www.php.net/releases/5_2_0.php release announcement for PHP 5.2] makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its [http://www.php.net/releases/4_4_5.php release announcement] makes no mention of any fix for this vulnerability. Ref {{{[4]}}} does mention an unofficial patch available from http://cvs.php.net/.[[BR]]
	1	In November 2006, a "'''highly critical'''" (Secunia, see {{{[3]}}}) vulnerability in PHP's handling of '''htmlentities()''' and '''htmlspecialchars()''' was announced (see refs) and fixed by PHP in release 5.2; the [http://www.php.net/releases/5_2_0.php release announcement for PHP 5.2] makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its [http://www.php.net/releases/4_4_5.php release announcement] makes no mention of any fix for this vulnerability. Ref {{{[4]}}} does mention an unofficial patch available from http://cvs.php.net/. [[BR]]
2	2	Many hosters do not even provide version 5.x, and quite a number of them are not particularly quick at upgrading PHP versions, let alone applying unofficial patches. Only installations running on FreeBSD or OpenBSD have a degree of protection ({{{[4]}}}) but it can be safely assumed that is a minority.
3	3