TITLE: HP System Management Homepage VERSION: 2.1.8.179 Rev. A DESCRIPTION: This package contains the HP System Management Homepage for the supported Blade Workstation models and the supported operating systems. PURPOSE: Recommended SOFTPAQ NUMBER: SP36105 SUPERSEDES: SP35498 EFFECTIVE DATE: June 15, 2007 CATEGORY: Software - System Management SSM SUPPORTED: No PRODUCT TYPE(S): Workstations HARDWARE PRODUCT MODEL(S): HP ProLiant xw25p Blade Workstation: All Models HP ProLiant xw460c Blade Workstation: All Models SOFTWARE PRODUCT(S): None OPERATING SYSTEM(S): Microsoft Windows XP Professional LANGUAGE(S): Global ENHANCEMENTS: - Provides updated PHP libraries. FIXES: Fixes the following issues: - The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files, by referring to local files with a certain URL syntax instead of pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence. - Integer overflow in PHP 4.4.4, and earlier, allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter. - PHP 4.x, up to 4.4.4, and PHP 5, up to 5.1.6, allow local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults. - Multiple integer signedness errors in the printf function family in PHP 4, before 4.4.5, and PHP 5, before 5.2.1, on 64-bit machines, allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64- to 32-bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location. - Integer overflow in the str_replace function in PHP 4, before 4.4.5, and PHP 5, before 5.2.1, allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows 32-bit length counter. - PHP 4, before 4.4.5, and PHP 5, before 5.2.1, when register_globals is enabled, allow context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a on a string beginning with "_SESSION|sL39:". PREREQUISITES: None INSTALLATION INSTRUCTIONS: 1. Download the SoftPaq .EXE file to a directory on your hard drive. 2. Execute the downloaded file and follow the on-screen instructions. Copyright (c) 2007 Hewlett-Packard Development Company, L.P.