This post originated from an RSS feed registered with Python Buzz
by Phillip Pearson.
Original Post: PeopleAggregator security advisory for CVE-2007-5631
Feed Title: Second p0st
Feed URL: http://www.myelin.co.nz/post/rss.xml
Feed Description: Tech notes and web hackery from the guy that brought you bzero, Python Community Server, the Blogging Ecosystem and the Internet Topic Exchange
It's quite serious, allowing code injection, however is only a problem if you are running PA on a server with PHP's register_globals directive turned on. This directive is turned OFF on all Broadband Mechanics servers, so if you are hosting with us, you aren't in any danger. It's also off by default on most modern Linux distributions, so generally if you're running PHP5 you're probably OK.
I've seen shared hosts with it turned on, though, so it's quite possible that there are some exploitable PA installs out there. PeopleAggregator throws up a big red-lettered warning if you attempt to install with register_globals on, but will continue to run if you ignore the warning, and the exploit will still work if you upload but don't configure it, so if you hit the warning then go away but don't delete it from your server, you're still vulnerable.
So, if you're running PA on a host which has register_globals turned on (or you don't know that it's definitely turned off), please upgrade to v1.2pre6+1, the security fix for v1.2pre6. v1.2pre7, which also includes the fixes, plus some extra hardening, will be coming out soon, but please don't wait :)
Previous Topic
