PHP Security Updates: 4.4.7 and 5.2.2
This was erroneously not previously mentioned. A number of critical security holes have been closed for both php 4 and php 5 and we are in the process of upgrading them on all of our servers, starting May 7, 2007. We have heard reports of a few problems with specific applications such as Drupal and Wordpress (XMLRPC only). We normally go slowly with PHP upgrades do to their propensity to cause problems but the nature of the security flaws plugged by these versions has mandated a quicker than normal upgrade.
Servers in the postal, swarthy and randy clusters have been updated already. You can figure out your cluster by looking at the ‘Account Status’ box in our web control panel. The cluster name is listed as ‘Your Email Server’.
.
May 16th, 2007 at 11:45 am
My site is down!
Actually, it isn’t. Just wanted to be the first to post to one of these threads. Thanks DH for letting users know what is going on.
May 16th, 2007 at 12:25 pm
… “do to …” — Oye Vey! — If you absolutely must:: “due to”, but I believe proper english grammer suggests “because of”.
OK, OK, I’m a grammer nazi. sorry.
In any case, thanks for the vigilance in keeping things current.
May 16th, 2007 at 12:34 pm
Thanks for notifying this upgrade as I suggested. Since it has caused issues for some of us it should have been a priority to let us know what had been upgraded here rather than worrying about the “fun” stuff.
The update of PHP to 4.4.7 which has just been rolled out has introduced a critical bug in the way $_REQUEST vars are sent from the browser to PHP code (getting double-urlencoded incorrectly). I don’t use “Drupal” or “Wordpress” and I have been chasing this issue with support for a few days. At the moment there is no bug notification on this issue at php.net - let’s hope someone from DH can confirm this to them and get this issue on the tab at least.
If you have noticed problems in your PHP pages with URL strings containing urlencoded POST parameters like:
?myvar=%22String+with+quotes%22
suddenly being returned as:
?myvar=%2522String+with+quotes%2522
and breaking code that uses them, then you now know why. Browser URLs produced from PHP pages responding to HTML forms with these sort of POST vars are incorrect. Doing a (previously unnecessary) urldecode on $_REQUEST array elements that may require it before use will solve the problem for now.
May 16th, 2007 at 12:35 pm
So how serious are these security holes?
I’ve some site running with self compiled php for LDAP support.
I feel like recompilling all over..
May 16th, 2007 at 12:50 pm
So that explains the fact that confidential posts were being published on a blog a run. That was quite embarrassing.
May 16th, 2007 at 12:53 pm
Also note that the correct updated version of your PHP is NOT showing in the webpanel under “Manage Domains”. (My swarthy domains all still show 4.4.2 and 5.2.1). Guess you’ll all know when you’ve been upgraded when your sites start breaking… :S
May 16th, 2007 at 1:08 pm
For anyone worried about their Wordpress 2.2 install, it should work fine on PHP 5.2.2 since they’ve added work-arounds in the code for it. So if you’re running WP, upgrade now!
May 16th, 2007 at 1:19 pm
SSH Open
FTP Open
Dream Panel and Webmail Open
But My Site’s Close
14:18:52 up 34 min, 3 users, load average: 2.47, 2.19, 2.08
May 16th, 2007 at 2:09 pm
Gee, can I complain about something? Well, I’ve a WordPress plug-in that isn’t working, but I’m talking to the author on Skype, so that’ll be resolved.
Oh well.
Peace,
Gene
May 16th, 2007 at 2:20 pm
@Mac tips: Recompiling to avoid security bugs is like flossing.
You don’t have to floss all of your teeth, only the ones you want to keep
May 16th, 2007 at 3:41 pm
Site’s down… :’(
May 16th, 2007 at 5:43 pm
The issue with double-encoded POST vars has been tracked down, and thankfully isn’t due to the recent PHP upgrades. As I initially considered, it seems to be an Apache misconfig or bug. For the purposes of closing off the technical discussion in the thread in which I started it, should someone find it later, here’s how to reproduce it:
Have a domain set up to accept addressing by http://www.mydomain but with the option to add www if it’s left out. Create an HTML form such as this:
instead of this:
so that the form redirects between the two domain addressing types - all vars in that form have been urlencoded incorrectly a second time by the time they reach your PHP code.
Reconfiguring the domain to accept both forms of addressing (with/without www) seems to solve the issue as well as changing the addressing in the HTML form. Hope this helps someone else figure out a very obscure server bug.
May 16th, 2007 at 5:48 pm
Neat, of course it would strip the HTML out…
Insert above…
method=”get” action=”http://mydomain…/ some.php” (ie. without www)
instead of
method=”get” action=”http://www.mydomain…/ some.php”
May 16th, 2007 at 6:26 pm
Lorenzo
Funny that a self-professed grammar nazi should spell “grammar” wrong.
May 17th, 2007 at 12:38 am
spunky cluster is also down
May 17th, 2007 at 12:41 am
M’i a sydlexic spilleng niza. You’er all rongw!
May 17th, 2007 at 1:25 am
The control panel is down at the moment
May 17th, 2007 at 1:26 am
…but at least I’ve found a way around *every single comment I ever make being marked as Spam*
May 17th, 2007 at 2:05 am
Phew “spacey” was down for awhile. Its back up now. Hopefully that is it.
May 17th, 2007 at 3:22 am
At Richard: Now, if we can just find a way to get it across to you that wining about the panel being down on a status blog post that has nothing to do with the panel, never mind the fact the support staff probably won’t even *see* your wining, isn’t gonna do a damn thing to fix the problem, that’d be awesome. And I didn’t even have th point out the fact you don’t have a clue what you’re talking about. The panel’s working fine. As usual. Call your ISP. Or learn how to diagnose your own connectivity issues yourself.
May 17th, 2007 at 7:12 am
> Phew “spacey” was down for awhile. Its back up now. Hopefully that is it.
Yeah spacey seems to have been having load issues lately
I’m confident that’ll get dealt with somehow for the long term.
May 17th, 2007 at 7:19 am
RAD!
May 17th, 2007 at 9:25 am
Well, I guess that explains why my website is down… right at the moment I wanted to blog something…
May 17th, 2007 at 9:33 am
My website, HughDancy.info, is down, and I get this error on IE. Will it be back up soon??
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
——————————————————————————–
Please try the following:
Click the Refresh button, or try again later.
If you typed the page address in the Address bar, make sure that it is spelled correctly.
To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
Click the Tools menu, and then click Internet Options.
On the Connections tab, click LAN Settings.
Select Automatically detect settings, and then click OK.
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.
Cannot find server or DNS Error
Internet Explorer
May 17th, 2007 at 10:31 am
The control panel is down.
May 17th, 2007 at 12:12 pm
These updates also included an upgrade for PCRE — which is causing segmentation faults for anyone running SimplePie. It would’ve been nice to have a heads up.
May 17th, 2007 at 2:03 pm
Oh how I have waited for this to appear somewhere.
An old friend, an English Major got me on this same thing ages ago.
QUOTE:
*****************************************************************************************************
# Lorenzo Says:
May 16th, 2007 at 12:25 pm
… “do to …” — Oye Vey! — If you absolutely must:: “due to”, but I believe proper english grammer suggests “because of”.
OK, OK, I’m a grammer nazi. sorry.
In any case, thanks for the vigilance in keeping things current.
******************************************************************************************************
GRAMMAR not GRAMMER
Sorry had to be done.
May 17th, 2007 at 4:18 pm
Last time I checked
grammar =! spelling
Oh and if your site is down, OPEN A SUPPORT TICKET don’t comment in a post like this one. People don’t seem to have the ability to read.
May 18th, 2007 at 1:13 am
Thanks for the update! I can’t wait till you finally get to my e-mail server.
May 18th, 2007 at 12:26 pm
My Server is still using PHP 5.2.1, I’m using Wordpress 2.1.3, Does anyone know if I will be safe when Dreamhost upgrades the PHP Version
to 5.2.2?
Loosing a lot of sleep over this because I have a lot of customizations on my site and I think If I have to upgrade to Wordpress 2.2,
I might have to go back to a vanilla site and then add back in all my custom features….
Sleepless on Long Island….
May 18th, 2007 at 8:05 pm
For ALL Wordpress users of Wordpress 2.1.3 - When DreamHost Upgrades your server to PHP 5.2.2, There is a Bug in PHP 5.2.2, which will prevent you from posting on your Blog. Here is a fix form the Official Wordpress Site:
Problem Posting using Wordpress 2.1.3 and PHP 5.2.2:
Quote From Official Wordpress Website:
Hi!
After having upgraded the server I’m using for my WordPress blog with PHP 5.2.2 it seems that I’m now unable to make any posts using the metaWeblog API. It is working perfectly fine when I use PHP 5.2.1. though so it can’t possibly be my WordPress installation that is the cause of this. (I’m using version 2.1.3)
Is anyone else on this forum having this problem as well?
This is almost certainly the same problem I had here. It turns out there’s a bug in PHP 5.2.2 with the feature WordPress uses to run XMLRPC — which is how all the APIs work.
Fix:
In theory, it will be fixed in the next PHP version. For now, I found that you can work around the problem by adding the following line at the beginning of WordPress’ xmlrpc.php:
$HTTP_RAW_POST_DATA = file_get_contents(”php://input”);
Put it right before the first line that mentions $HTTP_RAW_POST_DATA, and it should do the trick.
This Fix solved the problem 100% and you will be able to post again, So NO NEED to Upgrade to Wordpress 2.2.
;; Ray M
May 18th, 2007 at 10:28 pm
MySQL has been updated too.
When we will get the update !?
May 21st, 2007 at 10:49 am
We’re running version 1.1.2 of the Simple Machines forum and the PHP updates seem to have broken quite a few pieces of the forum. Registrations aren’t working and we’re getting “error on page” notifications in Firefox and IE 7 for almost all pages in the forum. Anyone else seeing this?
May 23rd, 2007 at 9:29 pm
The status site says there’s not ETA on when things will be fixed but also says things are resolved.
What’s up with that?
They’re “in contact with the load balancer vendor trying to get to the bottom of it all” - what’s next, a “mission accomplished” banner with website inaccessible?
May 31st, 2007 at 1:03 am
Is there any xmlrpc solution for wordpress ?
June 4th, 2007 at 11:29 pm
By when it can be rectified, please provide an idea.