Dear Sphera customer,
On July 14 , 2004, a PHP security advisory was released.
Sphera is currently addressing this vulnerability (noted below) in our ServerDirector V3.7 products.
Vulnerability Reference: http://security.e-matters.de/advisories/112004.html
This vulnerability applies to all applications and end-users utilizing PHP versions prior to 4.3.8.
An Update Pack for ServerDirector V3.7 with the relevant PHP updates will be available on August 2, 2004.
It should be noted that there are currently no known exploits in the wild.
If you have any questions, please contact us at: http://support.sphera.com
Please note that installing this patch should be done only on ServerDirector 3.7 with Update Pack #2 installed (UP2).
As part of the installation of UP packages, the installer runs the GUI script "cliCreateBuild.php", which is used to set up the GUI environment and then generates the GUI control panels, VA installation wizards and GUI dictionaries.
UP2 was released with PHP v4.3.0. However if you have installed this security patch before UP2 – you have installed PHP v4.3.8 on the Server.
Due to some modifications between PHP v4.3.0 and v4.3.8, running the "cliCreateBuild.php" script on PHP v4.3.8 failed. Thus, the GUI environment creation failed, so no one could login to your system.
To solve the situation, please follow those steps:
1) Copy the attached file (util.inc.zip) to the following place:
~<PVDS Root Dir>/php/common/scripts/server/inc/util.inc.php
2) From the command line login as the primary VDS user.
3) Perform the following: