[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Webmasters Urged To Plug PHP Security Hole
From:       InfoSec News <isn () c4i ! org>
Date:       2002-02-28 7:22:48
[Download RAW message or body]

http://www.newsbytes.com/news/02/174818.html

By Steven Bonisteel, Newsbytes
KOLN, GERMANY, U.S.A.,
27 Feb 2002, 12:38 PM CST
 
Web site operators who use server-side scripting software known as PHP
are being urged today to upgrade to a new release that does not
contain recently discovered - and apparently serious - security holes.

Stefan Esser of Germany-based E-matters, a Web development company,
reported that a number of memory-allocation bugs were found in PHP
code that handles file uploads, also known as multipart/form-data Post
requests.
 
Esser, who is also part of the open-source PHP development team, said
versions of PHP 4 for Linux and Solaris prior to a new bug-fix 4.1.2
release contain related vulnerabilities that could allow a hacker to
gain control of servers running the software. Some releases of PHP 3
exhibit similar security problems, including an incarnation of one bug
that extends beyond Linux and Solaris to most platforms on which PHP
is run, Esser said.

In a report posted on the E-matters Web site and distributed through
network security nailing lists, Esser said he was limiting his
description of the bugs to avoid detailing methods by which hackers
might exploit them.

However, separate reports from security researches elsewhere today
suggested that at least one program designed to automate the process
of cracking PHP may already be available.

Johannes Ullrich of the SANS Institute reported that software that
appears to be a working exploit for the bugs in some PHP 4 releases is
designed to allow its user to attack remote Web servers of their
choice.

The X-Force research team at Internet Security Systems in Atlanta said
today that it too had received a sample of the same exploit from the
developers of the open source intrusion detection system known as
Snort.

"This exploit is believed to be circulating in the underground
community and in use to a limited degree," ISS said. "X-Force predicts
newer versions of this exploit may support exploit vectors covering
additional operating systems."

Both Ullrich and ISS said the rogue program they examined sometimes
ran unreliably. However, ISS said its X-Force team had been able to
break in to remote servers using the program "in a lab environment."

Ullrich told Newsbytes that there had been "rumors" of a PHP exploit
in the wild for a while, but that he didn't get his hands on an actual
example until Tuesday.

He said he can't confirm that the software does everything it claims
to do, but that he was able to break in to a server running one
release of PHP 4 and crash another.

"So far, it does not appear that the exploit is in widespread use,"  
Ullrich said.

PHP is widely used by Web-hosting companies, and ISS said as many as
46 percent of all Web servers on the Net may currently be running
vulnerable versions of the software.

Although only a small share of Web sites with PHP installed actually
make use of the file-upload capabilities of the Web's HTTP (hypertext
transfer protocol), many servers have file-upload support in PHP
enabled anyway.

PHP users are being urged to download the latest version of PHP - or
patches for older releases - here: http://www.php.net



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]