ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.

Read more at H-online

Read more at Slashdot

Security Enhancements and Fixes in PHP 5.2.10:

• Fixed bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files). (Pierre)

Key enhancements in PHP 5.2.10 include:

• Added “ignore_errors” option to http fopen wrapper. (David Zulke, Sara)
• Fixed memory corruptions while reading properties of zip files. (Ilia)
• Fixed memory leak in ob_get_clean/ob_get_flush. (Christian)
• Fixed segfault on invalid session.save_path. (Hannes)
• Fixed leaks in imap when a mail_criteria is used. (Pierre)
• Changed default value of array_unique()’s optional sorting type parameter back to SORT_STRING to fix backwards compatibility breakage introduced in PHP 5.2.9. (Moriyoshi)
• Fixed bug #47940 (memory leaks in imap_body). (Pierre, Jake Levitt)
• Fixed bug #47903 (“@” operator does not work with string offsets). (Felipe)
• Fixed bug #47644 (Valid integers are truncated with json_decode()). (Scott)
• Fixed bug #47564 (unpacking unsigned long 32bit big endian returns wrong result). (Ilia)
• Fixed bug #47365 (ip2long() may allow some invalid values on certain 64bit systems).
• Over 100 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.10.

For a full list of changes in PHP 5.2.10, see the ChangeLog.

Details will appear on http://phpmyadmin.net. In a hurry? you can visit
http://sourceforge.net/projects/phpmyadmin to download.

Marc Delisle, for the team

Use Digital Certificates

Any Web site that does business online should use digital certificates. This helps to protect sensitive data when passed using a form. This could include anything from person’s social security number, credit card information, to his or her address and contact numbers. It is important for Web site owners to be able to assure their clients that their Web site is secure. A digital certificate goes a long way towards allowing clients to trust a business is legitimate and entrust sensitive information to it.

It is, however, important to be careful when buying a digital certificate. It is vital to not obtain one that is outdated or which has been sabotaged by a hacker.

Keep Security Regularly Updated

Some of the most important security procedures include methods to make sure a Web site’s forbidden pages are inaccessible to anyone who lacks authority to view them. This includes tracking that person’s IP and recording it. This will help protect Web site owners from people trying to illegally access, download, or alter the Web site’s files. As a last resort it will also help authorities track down where an offender lives and, if necessary, whom to charge with a crime.

As criminals constantly devise new ways to circumvent modern security, security procedures are constantly being updated to ensure that the latest version includes protection against these new security threats and risks. It is the Web site owner’s duty to make sure that the security is up-to-date. This makes the correction of such problems, if they arise, easier.

A Web site owner should also regularly change the Web site’s administrator password, observing all the common sense rules regarding password creation. Although many do not take this step, simply taking precaution can help prevent a costly breach from occurring.

Monitor Online Activities

It is absolutely vital for a Web site owner to monitor all of their online activities. Many Web site owners have unwittingly caught a computer virus by downloading something or clicking on a Web URL link while browsing the Internet. These kinds of mistakes are common and can be avoided by simply taking reasonable measures to provide security for their computers.

Email from unknown people should be treated suspiciously, particularly if an attachment is included. Often these attachments have a Trojan, virus, or other malicious software packaged inside them that will burst free when the attachment is downloaded. Although most new computer security products are aware of these viruses, a brand-new virus can remain undetected until it is discovered by security professionals who then update their protective software to counter the new threat.

For the owner of a Web site, every virus and illegal access that is prevented on their personal computer represents a lot of money saved. Perhaps more than most anyone else, Web site owners get their money’s worth when buying security products. A Web site owner can lose their Web site and all their earnings from a single breach by a single hacker, even if that breach is on their home PC if that computer has been used to access restricted areas of their Web site. The peace of mind a few security software purchases can bring are more than worth the cost in dollars.  Remember the old adage: penny wise and pound foolish?  This can apply to managing a site in today’s increasingly fraught environment.  Are you being pound foolish?

The details were posted on a well-read blog July 21 despite Kaminsky’s plans to keeping the specifics of his discovery secret until the Black Hat conference in August. A hacker can use a DNS attack to redirect page requests to phishing sites or other malicious pages.
Read more at WHIRnews