Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Vulnerability Announced

Posted by krow on from the who-would-have-thunk-it dept.

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

29 of 47 comments (clear)

  1. www.php.net/downloads.php by mnordstr · · Score: 3, Funny

    Parse error: parse error, unexpected T_SL in /local/Web/sites/phpweb/downloads.php on line 81

    Huh??! Bad karma ;)

    1. Re:www.php.net/downloads.php by Henry+V+.009 · · Score: 3, Informative

      I went to upgrade php and got that as well. It's the same for the mirrors. This doesn't bode well.

  2. For anyone concerned about upgrading by Anonymous Coward · · Score: 1, Informative

    They say the only difference between 4.2.1 and 4.2.2 is this fix, so it won't (or shouldn't anyway) break any of your scripts.

  3. Why I love freebsd. by mike13down · · Score: 1, Interesting

    I'm not sure how long it took, but the freebsd ports have already been updated.
    Since the admins over at NYI.net showed me the light, I have been installing FreeBSD on every machine I can get my hands on, even if they are'nt mine.

  4. Where to get the file by Anonymous Coward · · Score: 2, Informative

    Download directly from here. Change the server name to a mirror closer to you if you want.

    http://uk.php.net/distributions/php-4.2.2.tar.bz 2
    or
    http://uk.php.net/distributions/php-4.2.2.t ar.gz

  5. Something tells me I shouldn't be doing this by questionlp · · Score: 2

    but... I have mirrored the PHP 4.2.2 tar/bz2 ball on my server (over DSL)... you can access it via FTP at closedsrc.org with anon/anon, or the link below:

    ftp://anon:anon@closedsrc.org/.

    The md5sum file is based on the md5 checksum provided by the FreeBSD port distinfo file.

    I know I'm asking for it...

    1. Re:Something tells me I shouldn't be doing this by questionlp · · Score: 1

      It also looks like the us3.php.net mirror is working... the download page can be had at http://us3.php.net/downloads.php.

  6. Why is this not front-page? by Anonymous Coward · · Score: 1

    This is one of the most-installed Apache modules. If this was an IIS exploit you know it'd be on the front page. I don't really mind biased comments in the stories as much, but to actually HIDE news because it goes against the notion that Open Source is invincible is really pathetic.

    1. Re:Why is this not front-page? by Anonymous Coward · · Score: 1

      So True. It just helps establish that the Open Source and LinUCKS appologists are no different than the m$ft appologists

    2. Re:Why is this not front-page? by quinto2000 · · Score: 3, Interesting

      Here's one reason:

      Impact

      Both local and remote users may exploit this vulnerability to compromise
      the web server and, under certain conditions, to gain privileged access.
      So far only the IA32 platform has been verified to be safe from the
      execution of arbitrary code. The vulnerability can still be used on IA32
      to crash PHP and, in most cases, the web server.

      This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.

      --
      Ceci n'est pas un post
    3. Re:Why is this not front-page? by Vader82 · · Score: 1

      One question? Whats the response time from when the post hits bugtraq til the time there is a fix available just about everywhere? And compared to windows, the response time is? Hmmmmmmmm, ok then.

  7. IA32 "safe" from this? by Dr.Dubious+DDQ · · Score: 3, Interesting

    If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

    --
    Hacker Public Radio is our Friend
  8. now they tell us! by larry+bagina · · Score: 1
    It sure would have been nice to have recieved this warning yesterday, before my linux box got rooted :( Fortunately, my unsuported sound card caused a kernel panic before they could do anything besides delete some of my kde themes. Props to the morse-code panic lights!

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  9. Apache 2.0.39 incompatibility by Scoria · · Score: 1
    A bug has existed since Apache 2.0.39's release that causes PHP compilation to fail under certain conditions. I'm somewhat astonished that the PHP group neglected to repair it.

    A patch is publicly accessible via my webserver here (http://www.initialized.org/patches/php4.2.2-apach e2.0.39.diff).

    To install the patch on a Unix machine and install PHP using apxs:

    (r) designates commands that must be executed as the superuser (root).
    1. Download the tarball. I recommend using us2.php.net, Hurricane Electric's mirror.
    2. Execute 'tar xvfz php-4.2.2.tar.gz' from a shell.
    3. Execute 'cd php-4.2.2'.
    4. Execute 'wget http://www.initialized.org/patches/php4.2.2-apache 2.0.39.diff'.
    5. Execute 'patch sapi/apache2filter/php_functions.c php4.2.2-apache2.0.39.diff'. This command will apply the patch.
    6. Execute './configure --with-apxs2'. You may specify further options (such as --with-mysql if your applications require MySQL support) following "--with-apxs2".
    7. (r) Execute 'make'.
    8. (r) Execute 'make install'.
    9. (r) Restart Apache. 'apachectl restart' is the most common method of doing so.
    If you have any questions or encounter difficulties, feel free to email me. ;)

    -- Scoria
    --
    Do you like German cars?
    1. Re:Apache 2.0.39 incompatibility by Scoria · · Score: 2

      I incorrectly assigned the "superuser" label to the command 'make'. You may execute the 'make' command either as root or a normal user.

      'make install', however, must be performed as root.

      --
      Do you like German cars?
    2. Re:Apache 2.0.39 incompatibility by chregu · · Score: 2, Informative

      It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

      chregu

    3. Re:Apache 2.0.39 incompatibility by Icy · · Score: 1

      Apache2 is not supported by php at all, its just for the bleeding edge few. This bug was corrected in php's cvs long ago, and bugs.php.net even had a large banner telling everyone to not report the bug and get the latest snapshot. That worked for a while until the cvs of apache2 had some internal changes that required changes in php that in turn made the php cvs (and snapshots) require apache-2.0.40 (the unreleased cvs version).

      If you are going to be playing around on the bleeding edge, you mine as well checkout the cvs versions of both, skip the patching, and have some real fun :)

      --Matt

    4. Re:Apache 2.0.39 incompatibility by SiMac · · Score: 1

      Or you can get the STABLE version from http://snaps.php.net/ which works with Apache 2.0.39, although I seem to be having a few problems with it.

      Simon

  10. Re:Shouldn't be a problem by questionlp · · Score: 1

    Just trying to do whatever a poor slob like me can do... can't do much else since I don't have the bandwidth nor the space to setup an official mirror. Maybe one of these days I can :)

  11. 420 makes you vulnerable! by Thing+1 · · Score: 3, Funny
    The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1.

    I can understand a certain amount of vulnerability after 420...

    --
    I feel fantastic, and I'm still alive.
  12. X86 Linux? by Chuck+Chunder · · Score: 3, Funny

    According to the announcements the only thing the vulnerability can do is cause your webserver to crash.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
  13. Re:how do i apply the patch? by ipinkus · · Score: 1
    newbie here. the file only came with *.patch file and no instructions

    You need the source code.... In your newbie case however, I suggest that you wait until your Linux distribution provides an updated package for you. (Hopefully you're running Debian or something similar in which case (apt-get update; apt-get upgrade) may work)

  14. Patch, Crack or Post by Perdo · · Score: 1

    Anyone with anything intelligent to add to this discussion is either busy patching or cracking

    NOT posting

    --

    If voting were effective, it would be illegal by now.

  15. Re:*sigh* by dzym · · Score: 3, Informative
    But then again, the good folks at Apache didn't think the chunked encoding vulnerability could be used to execute arbitrary code on 32-bit platforms.

    Gobbles proved them wrong.

  16. Re:Woohoo 8=====D by drpatt · · Score: 1

    I was having real problems with Apache 2 locking up, but after changing the points and condenser, and replacing the Rochester QuadraBog with a Holly 4 barrel, everything is fine. Next I'll try it on my old Celeron Diesel. Makes a lot of smoke, but runs steady.

  17. Be Careful!!! by lo_fye · · Score: 1

    I upgraded to 4.2.2 in the middle of developing a site for a client (I know - big "No No") and it was TOTAL BADNESS My login procedure and several sections fo the site just stopped working. Apparently 4.2.2 configures the system such that redirects do not work the same. Needless to say this turned my dev server upsidedown in a mad rain of chaos. Had to do a rollback and just forget about it for now. Once the site works I'll reinstall and debug. caveat emptor.

    --
    geeks are cats who dig a certain kind of cool
  18. Re:Shouldn't be a problem by JCCyC · · Score: 2

    While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source

    Not necessarily. Get the MD5 sum from the official site, then the tarball from the unofficial site. If it bunzips like a duck and md5sums like a duck...

  19. Re:Shouldn't be a problem by atomhund · · Score: 1

    is it a gerbil?

  20. No Root by SiMac · · Score: 1

    It's not the same sort of exploit as most IIS exploits. A IIS exploit gives someone access over an entire server. This exploit gives access to a shell which could read Apache-readable files and execute programs. It might even be able to write to /tmp. But no important files can be deleted or written to.