Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Vulnerability Announced

Posted by krow on from the who-would-have-thunk-it dept.

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

47 comments

  1. another success for Open Source by tps12 · · Score: 0, Flamebait

    Notice how quickly a patch appeared for this. If this were a Windblowz product, the script kiddies would be having a field day while Micro$hit denied the hole existed.

    This is what free software is all about. I personally am not affected, as I prefer Perl to PHP, and my personal server is still down until I can figure out how to patch that Apache hole from a few weeks ago, but I am swollen with pride for my fellow Linux hackers.

    --

    Karma: Good (despite my invention of the Karma: sig)
    1. Re:another success for Open Source by Anonymous Coward · · Score: 0

      I wish I could give you mod points for a good troll. But I'll rather post as an anonymous coward to avoid being seen praising a troll in public :)

    2. Re:another success for Open Source by Anonymous Coward · · Score: 0

      With that attitude, it is a wonder that upstanding citizens such as tps12 continue to stick their necks out for you, karmawise.

  2. www.php.net/downloads.php by mnordstr · · Score: 3, Funny

    Parse error: parse error, unexpected T_SL in /local/Web/sites/phpweb/downloads.php on line 81

    Huh??! Bad karma ;)

    1. Re:www.php.net/downloads.php by Henry+V+.009 · · Score: 3, Informative

      I went to upgrade php and got that as well. It's the same for the mirrors. This doesn't bode well.

  3. For anyone concerned about upgrading by Anonymous Coward · · Score: 1, Informative

    They say the only difference between 4.2.1 and 4.2.2 is this fix, so it won't (or shouldn't anyway) break any of your scripts.

  4. Plz Mod Up!.1 Thx! by You'reAFuckingMoron · · Score: 0
    Please mod the above up. I have recently noticed exactly the same thing -- Microsoft was once the very best vendor out there, bar none, about delivering critical patches like this. In fact, there was a time when Microsoft was extremely good at finding and bringing to light critical flaws even in in the products of other vendors. Many, many long hours were spent at Microsoft looking for flaws in products from software luminaries like Lotus, Digital Research, and Word Perfect. But now, Microsoft seems to have lost the fire in their belly, and they're falling behind. A quick glance at their stock price confirms that investors have noticed this unfortunate trend.

    I'm glad that Open Source programmers have taken up the call, and started to finally deliver high quality, unbreakable products. Imagine! The PHP group has a fix out on exactly the same day the bug is released. It's amazing!

    --
    What a fabulous troll your post was.... or how fabulously stupid you are. It's impossible to tell.
  5. Why I love freebsd. by mike13down · · Score: 1, Interesting

    I'm not sure how long it took, but the freebsd ports have already been updated.
    Since the admins over at NYI.net showed me the light, I have been installing FreeBSD on every machine I can get my hands on, even if they are'nt mine.

  6. Where to get the file by Anonymous Coward · · Score: 2, Informative

    Download directly from here. Change the server name to a mirror closer to you if you want.

    http://uk.php.net/distributions/php-4.2.2.tar.bz 2
    or
    http://uk.php.net/distributions/php-4.2.2.t ar.gz

  7. Something tells me I shouldn't be doing this by questionlp · · Score: 2

    but... I have mirrored the PHP 4.2.2 tar/bz2 ball on my server (over DSL)... you can access it via FTP at closedsrc.org with anon/anon, or the link below:

    ftp://anon:anon@closedsrc.org/.

    The md5sum file is based on the md5 checksum provided by the FreeBSD port distinfo file.

    I know I'm asking for it...

    1. Re:Something tells me I shouldn't be doing this by questionlp · · Score: 1

      It also looks like the us3.php.net mirror is working... the download page can be had at http://us3.php.net/downloads.php.

  8. Why is this not front-page? by Anonymous Coward · · Score: 1

    This is one of the most-installed Apache modules. If this was an IIS exploit you know it'd be on the front page. I don't really mind biased comments in the stories as much, but to actually HIDE news because it goes against the notion that Open Source is invincible is really pathetic.

    1. Re:Why is this not front-page? by Anonymous Coward · · Score: 1

      So True. It just helps establish that the Open Source and LinUCKS appologists are no different than the m$ft appologists

    2. Re:Why is this not front-page? by quinto2000 · · Score: 3, Interesting

      Here's one reason:

      Impact

      Both local and remote users may exploit this vulnerability to compromise
      the web server and, under certain conditions, to gain privileged access.
      So far only the IA32 platform has been verified to be safe from the
      execution of arbitrary code. The vulnerability can still be used on IA32
      to crash PHP and, in most cases, the web server.

      This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.

      --
      Ceci n'est pas un post
    3. Re:Why is this not front-page? by Vader82 · · Score: 1

      One question? Whats the response time from when the post hits bugtraq til the time there is a fix available just about everywhere? And compared to windows, the response time is? Hmmmmmmmm, ok then.

    4. Re:Why is this not front-page? by Anonymous Coward · · Score: 0

      Based on things like the "MSNTV 911 Bug" Microsoft turns them around in under 48 hours...
      Of course you didn't read about the speed of the bug fix on SlashDot. That would be counter-intuitive for a site that should be renamed "News for LINUX Nerds and Microsoft haters"

  9. IA32 "safe" from this? by Dr.Dubious+DDQ · · Score: 3, Interesting

    If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

    --
    Hacker Public Radio is our Friend
  10. now they tell us! by larry+bagina · · Score: 1
    It sure would have been nice to have recieved this warning yesterday, before my linux box got rooted :( Fortunately, my unsuported sound card caused a kernel panic before they could do anything besides delete some of my kde themes. Props to the morse-code panic lights!

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  11. *sigh* by mar1no · · Score: 0

    once again, notice the "may" and the "certain circumstances": This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access. time and time again, i see this in bug announcements, they always throw out the worse possibility, when in fact the majority of people wont be harmed anymore than a blind man tryin to swat a fly.

    --
    "you sonofabitch i didn't know!"
    1. Re:*sigh* by dzym · · Score: 3, Informative
      But then again, the good folks at Apache didn't think the chunked encoding vulnerability could be used to execute arbitrary code on 32-bit platforms.

      Gobbles proved them wrong.

  12. how do i apply the patch? by Anonymous Coward · · Score: 0

    newbie here. the file only came with *.patch file and no instructions

    1. Re:how do i apply the patch? by ipinkus · · Score: 1
      newbie here. the file only came with *.patch file and no instructions

      You need the source code.... In your newbie case however, I suggest that you wait until your Linux distribution provides an updated package for you. (Hopefully you're running Debian or something similar in which case (apt-get update; apt-get upgrade) may work)

  13. Apache 2.0.39 incompatibility by Scoria · · Score: 1
    A bug has existed since Apache 2.0.39's release that causes PHP compilation to fail under certain conditions. I'm somewhat astonished that the PHP group neglected to repair it.

    A patch is publicly accessible via my webserver here (http://www.initialized.org/patches/php4.2.2-apach e2.0.39.diff).

    To install the patch on a Unix machine and install PHP using apxs:

    (r) designates commands that must be executed as the superuser (root).
    1. Download the tarball. I recommend using us2.php.net, Hurricane Electric's mirror.
    2. Execute 'tar xvfz php-4.2.2.tar.gz' from a shell.
    3. Execute 'cd php-4.2.2'.
    4. Execute 'wget http://www.initialized.org/patches/php4.2.2-apache 2.0.39.diff'.
    5. Execute 'patch sapi/apache2filter/php_functions.c php4.2.2-apache2.0.39.diff'. This command will apply the patch.
    6. Execute './configure --with-apxs2'. You may specify further options (such as --with-mysql if your applications require MySQL support) following "--with-apxs2".
    7. (r) Execute 'make'.
    8. (r) Execute 'make install'.
    9. (r) Restart Apache. 'apachectl restart' is the most common method of doing so.
    If you have any questions or encounter difficulties, feel free to email me. ;)

    -- Scoria
    --
    Do you like German cars?
    1. Re:Apache 2.0.39 incompatibility by Scoria · · Score: 2

      I incorrectly assigned the "superuser" label to the command 'make'. You may execute the 'make' command either as root or a normal user.

      'make install', however, must be performed as root.

      --
      Do you like German cars?
    2. Re:Apache 2.0.39 incompatibility by chregu · · Score: 2, Informative

      It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

      chregu

    3. Re:Apache 2.0.39 incompatibility by Icy · · Score: 1

      Apache2 is not supported by php at all, its just for the bleeding edge few. This bug was corrected in php's cvs long ago, and bugs.php.net even had a large banner telling everyone to not report the bug and get the latest snapshot. That worked for a while until the cvs of apache2 had some internal changes that required changes in php that in turn made the php cvs (and snapshots) require apache-2.0.40 (the unreleased cvs version).

      If you are going to be playing around on the bleeding edge, you mine as well checkout the cvs versions of both, skip the patching, and have some real fun :)

      --Matt

    4. Re:Apache 2.0.39 incompatibility by SiMac · · Score: 1

      Or you can get the STABLE version from http://snaps.php.net/ which works with Apache 2.0.39, although I seem to be having a few problems with it.

      Simon

  14. Shouldn't be a problem by Anonymous Coward · · Score: 0

    While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source - so you probably won't get hit with too many downloads. Thanks for the kind gesture, though! :)

    1. Re:Shouldn't be a problem by questionlp · · Score: 1

      Just trying to do whatever a poor slob like me can do... can't do much else since I don't have the bandwidth nor the space to setup an official mirror. Maybe one of these days I can :)

    2. Re:Shouldn't be a problem by JCCyC · · Score: 2

      While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source

      Not necessarily. Get the MD5 sum from the official site, then the tarball from the unofficial site. If it bunzips like a duck and md5sums like a duck...

    3. Re:Shouldn't be a problem by atomhund · · Score: 1

      is it a gerbil?

  15. 420 makes you vulnerable! by Thing+1 · · Score: 3, Funny
    The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1.

    I can understand a certain amount of vulnerability after 420...

    --
    I feel fantastic, and I'm still alive.
  16. X86 Linux? by Chuck+Chunder · · Score: 3, Funny

    According to the announcements the only thing the vulnerability can do is cause your webserver to crash.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
  17. Patch, Crack or Post by Perdo · · Score: 1

    Anyone with anything intelligent to add to this discussion is either busy patching or cracking

    NOT posting

    --

    If voting were effective, it would be illegal by now.

  18. Things like this.. by Weffa · · Score: 0, Offtopic

    Things like this happens every day, and what makes me feel good is that I don't have to keep up with Bugtraq and other sources to find out when my business is affected. Instead I receive personalized e-mail alerts.

    The service: http://securitywarnings.com/info

  19. Debian wins again by Anonymous Coward · · Score: 0
    Once again, people using Debian's stable branch never had to take part in a vulnerability caused by unnecessary upgrading.

    Debian users only upgrade the bits they really need to be current, and shake their heads sadly at the Redhat and Mandrake users downloading or buying the exploit of the month.

  20. Woohoo 8=====D by Anonymous Coward · · Score: 0

    I just installed PHP on a Apache server that's running on a 2 liter of Coke. d00d, it rox!

    1. Re:Woohoo 8=====D by Anonymous Coward · · Score: 0

      My original subject line was:

      WooHoo!!!!!!!!!!!!!!

      It said it was ascii art

      So I changed it to:

      8======D

      You guys sure can code

    2. Re:Woohoo 8=====D by drpatt · · Score: 1

      I was having real problems with Apache 2 locking up, but after changing the points and condenser, and replacing the Rochester QuadraBog with a Holly 4 barrel, everything is fine. Next I'll try it on my old Celeron Diesel. Makes a lot of smoke, but runs steady.

  21. WHERE ARE THE MOD POINTS? by Anonymous Coward · · Score: 0

    They are all at -1

    The trolls are winning Taco

  22. last post by Anonymous Coward · · Score: 0

    End of discussion!!!

  23. Be Careful!!! by lo_fye · · Score: 1

    I upgraded to 4.2.2 in the middle of developing a site for a client (I know - big "No No") and it was TOTAL BADNESS My login procedure and several sections fo the site just stopped working. Apparently 4.2.2 configures the system such that redirects do not work the same. Needless to say this turned my dev server upsidedown in a mad rain of chaos. Had to do a rollback and just forget about it for now. Once the site works I'll reinstall and debug. caveat emptor.

    --
    geeks are cats who dig a certain kind of cool
  24. No Root by SiMac · · Score: 1

    It's not the same sort of exploit as most IIS exploits. A IIS exploit gives someone access over an entire server. This exploit gives access to a shell which could read Apache-readable files and execute programs. It might even be able to write to /tmp. But no important files can be deleted or written to.