Slashdot Mirror
PHP Security & Exploit
Anonymous Coward writes "It looks like after a few weeks of rumors,
an
exploit for PHP/Apache under Linux surfaced. Luckily, PHP.net has the patch ready to go. While the export only claims to work for PHP up to 4.0.5, php.net also releases a patch for 4.1.1, the (until yesterday), latest version of php. This patch makes a small edition to the part of the source code (rfc1867.c) that is used by the exploit."
<?php
if ($system != 'patched') {
$file_uploads = 'Danger, Will Robinson!';
}
?>
<?php while ($self != "asleep") { $sheep_count++; } ?>
All versions previous to 4.1.2 (today's release) are at risk
d e/advisories/012002.htm l
http://www.php.net/
http://security.e-matters.
The bug report is here:
http://bugs.php.net/bug.php?id=15736
it recomends turning off file uploads as a work around
Christopher McCrory "The guy that keeps the servers running" chrismcc@gmail.com http://www.pricegrabber.com
s/export/exploit
looks like the php grammar/spell checker was buggy too!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Bunch of mod_perl trolls slashdot is!o de_w=on&site=slashdot.org
http://uptime.netcraft.com/up/graph/?mode_u=off&m
The site slashdot.org is running Apache/1.3.20 (Unix) mod_perl/1.25 mod_gzip/1.3.19.1a on Linux.
-Tom
Now I like to instal PHP from source personally, but most people i know that use PHP, do so on a default redhat 7.2 rpm install. i.e. they are running ver 4.0.6.
...) from there default versions to the secure version?
So my question is: Is there a way to patch the major distro versions (i.e. rh, suse, mandrake
Because if there isn't then there are still gonna be alot of webservers out there running insecure versions of php. And, if there isn't a way, then why isn't there?
This is a very high impact vulnerability, mod_php is the worlds most popular Apache module, maybe the most popular web script language. (no flamewars intended, it IS popular among a lot of people whether you like it or not).
:
:
../src/php-4.0.x/main dir
:
However, one line in the config should according to php.net disable the vulnerability
file_uploads = off
(When tested phpinfo(); gives "no value" at my site)
One file needs to be patched for all PHP versions, get the patch here
php.net/downloads.php
Patch like this:
1. Enter
2. patch < pathtodiffile/rfc1867.c.diff-4.0.6
3. build either the DSO module or build apache with static php
The "full" advisory is here
security.e-matters.de
now, PATCH!
Um, this documentation is in the basic INSTALL file that comes with PHP. Once the patch is applied you rebuild it just like you built it the first time.
Liberty in your lifetime
For those having problems getting the patch, mirrors are here:
US1
US2
US3
US4
UK1
UK2
This does not affect IIS5.0 + PHP?
________________________________________________
and this isn't on the main /. page because.................
This really isn't a huge possibility. This exploit has to happen on a real php page. If you have mod_php installed but no php scripts then you can't be exploited by this bug.
.php page on you server, you can't be exploited with this current exploit.
Also, mod_php isn't installed on millions of peoples computers who have no idea what a web server is like IIS was.
The closest to code red this could do, is pull out all domains, and check for index.php in the root directory. Or maybe it could attempt to index a domain and try to find an index.php...
But as I said.. unless there is a
You can comprimise php and the entire web site (how much harm depends on setup), and probably make a lot of mess. You can't take full control of the system though.
And it's not a piece of cake attack either like Red Code II. Some versions are very difficult to exploit.
With RedCode II you could just wipe everything from the HD, steal passwords, certificates, everthing (at least that I thought)
unfinished: (adj.)