PHP Security & Exploit

Anonymous Coward writes "It looks like after a few weeks of rumors, an exploit for PHP/Apache under Linux surfaced. Luckily, PHP.net has the patch ready to go. While the export only claims to work for PHP up to 4.0.5, php.net also releases a patch for 4.1.1, the (until yesterday), latest version of php. This patch makes a small edition to the part of the source code (rfc1867.c) that is used by the exploit."

"edition"?

[Takeel]

Do you perhaps mean an *addition* to the source code?

Re:"edition"?

[DrSkwid]

s/export/exploit

looks like the php grammar/spell checker was buggy too!

If you only speak PHP...

[Paul+Burney]

<?php

if ($system != 'patched') {

$file_uploads = 'Danger, Will Robinson!';

}

?>

all versions previous to 4.1.2 are at risk

[chrismcc@netus.com]

All versions previous to 4.1.2 (today's release) are at risk

http://www.php.net/
http://security.e-matters.d e/advisories/012002.htm l

The bug report is here:
http://bugs.php.net/bug.php?id=15736

it recomends turning off file uploads as a work around

Why isn't this on the main page?

[SyniK]

Bunch of mod_perl trolls slashdot is!
http://uptime.netcraft.com/up/graph/?mode_u=off&mo de_w=on&site=slashdot.org
The site slashdot.org is running Apache/1.3.20 (Unix) mod_perl/1.25 mod_gzip/1.3.19.1a on Linux.

How to patch major distro versions

[Why+Should+I]

Now I like to instal PHP from source personally, but most people i know that use PHP, do so on a default redhat 7.2 rpm install. i.e. they are running ver 4.0.6.

So my question is: Is there a way to patch the major distro versions (i.e. rh, suse, mandrake ...) from there default versions to the secure version?

Because if there isn't then there are still gonna be alot of webservers out there running insecure versions of php. And, if there isn't a way, then why isn't there?

Re:How to patch major distro versions

[LinuxGeek8]

You should be able to update the packages with up2date on redhat.
And also, you should check redhats errata page regularly for security updates.

Re:How to patch major distro versions

[J'raxis]

RPMs should be released as soon as someone builds them, follow what the other comment said (use `up2date` and check RedHats errata page) or just go to RPMFind and refresh repeatedly until a new RPM is posted. :)

Re:How to patch major distro versions

[Electrum]

Is there a way to patch the major distro versions (i.e. rh, suse, mandrake ...) from there default versions to the secure version?

# apt-get update
# apt-get upgrade

:-)

Re:How to patch major distro versions

[Menthos]

# up2date -u

:-)

The important facts

This is a very high impact vulnerability, mod_php is the worlds most popular Apache module, maybe the most popular web script language. (no flamewars intended, it IS popular among a lot of people whether you like it or not).

However, one line in the config should according to php.net disable the vulnerability :

file_uploads = off

(When tested phpinfo(); gives "no value" at my site)

One file needs to be patched for all PHP versions, get the patch here :

php.net/downloads.php

Patch like this:

1. Enter ../src/php-4.0.x/main dir
2. patch < pathtodiffile/rfc1867.c.diff-4.0.6
3. build either the DSO module or build apache with static php

The "full" advisory is here :

security.e-matters.de

now, PATCH!

another codered/nimda-like incident in the making?

seeing as how php, and especially the mod_php is so popular on the interent, its not difficult to imagine a scenario similar to CodeRed and Nimda incidents less than 6 months ago.

Hell, the nimda scans are still going on, ffs.

hopefully, webmasters who uses php are a bit more clueful, and everyone works to patch their system ASAP.

/hopeful

How?

Patch like this:

1. Enter ../src/php-4.0.x/main dir
2. patch

1. That patch command asks "File to patch?"

2. Build the DSO module... how??

I checked php.net etc etc of course before I asked a question like this here.

Mike

Re:How?

[J'raxis]

Um, this documentation is in the basic INSTALL file that comes with PHP. Once the patch is applied you rebuild it just like you built it the first time.

Mirrors

[bluntmanspam]

For those having problems getting the patch, mirrors are here:
US1
US2
US3
US4
UK1
UK2

IIS5?

[psychalgia]

This does not affect IIS5.0 + PHP?

Re:IIS5?

[matthewp]

This does not affect IIS5.0 + PHP?

From the advisory:

Finally I want to mention that the boundary check vulnerabilities are only exploitable on linux or solaris. The heap off by one is only exploitable on linux(maybe solaris)x86 and the arbitrary heap overflow in PHP3 is exploitable on most OS and architectures. (This includes *BSD, Windows, Linux, Solaris)

It would seem to be a question of operating system rather than web server.

front page news...

[(startx)]

and this isn't on the main /. page because.................

Re:another codered/nimda-like incident in the maki

[TurboRoot]

This really isn't a huge possibility. This exploit has to happen on a real php page. If you have mod_php installed but no php scripts then you can't be exploited by this bug.

Also, mod_php isn't installed on millions of peoples computers who have no idea what a web server is like IIS was.

The closest to code red this could do, is pull out all domains, and check for index.php in the root directory. Or maybe it could attempt to index a domain and try to find an index.php...

But as I said.. unless there is a .php page on you server, you can't be exploited with this current exploit.

Re: php runs as "nobody"

[fferreres]

You can comprimise php and the entire web site (how much harm depends on setup), and probably make a lot of mess. You can't take full control of the system though.

And it's not a piece of cake attack either like Red Code II. Some versions are very difficult to exploit.

With RedCode II you could just wipe everything from the HD, steal passwords, certificates, everthing (at least that I thought)