Changes between Initial Version and Version 3 of Ticket #427

Show
Ignore:
Timestamp:
02/17/2007 04:50:59 PM (7 years ago)
Author:
JavaWoman
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #427

    • Property type changed from defect to enhancement
  • Ticket #427 – description

    initial v3  
    1 In November 2006, a "'''highly critical'''" (Secunia, see {{{[3]}}}) vulnerability in PHP's handling of '''htmlentities()''' and '''htmlspecialchars()''' was announced (see refs) and fixed by PHP in release 5.2; the [http://www.php.net/releases/5_2_0.php release announcement for PHP 5.2] makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its [http://www.php.net/releases/4_4_5.php release announcement] makes no mention of any fix for this vulnerability. Ref {{{[4]}}} does mention an unofficial patch available from http://cvs.php.net/.[[BR]] 
     1In November 2006, a "'''highly critical'''" (Secunia, see {{{[3]}}}) vulnerability in PHP's handling of '''htmlentities()''' and '''htmlspecialchars()''' was announced (see refs) and fixed by PHP in release 5.2; the [http://www.php.net/releases/5_2_0.php release announcement for PHP 5.2] makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its [http://www.php.net/releases/4_4_5.php release announcement] makes no mention of any fix for this vulnerability. Ref {{{[4]}}} does mention an unofficial patch available from http://cvs.php.net/. [[BR]] 
    22Many hosters do not even provide version 5.x, and quite a number of them are not particularly quick at upgrading PHP versions, let alone applying unofficial patches. Only installations running on FreeBSD or OpenBSD have a degree of protection ({{{[4]}}}) but it can be safely assumed that is a minority. 
    33