[ISN] Webmasters Urged To Plug PHP Security Hole

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 23:22:48 PST

  • Next message: InfoSec News: "[ISN] Encryption in Company Networks Foiled"

    By Steven Bonisteel, Newsbytes
    27 Feb 2002, 12:38 PM CST
    Web site operators who use server-side scripting software known as PHP
    are being urged today to upgrade to a new release that does not
    contain recently discovered - and apparently serious - security holes.
    Stefan Esser of Germany-based E-matters, a Web development company,
    reported that a number of memory-allocation bugs were found in PHP
    code that handles file uploads, also known as multipart/form-data Post
    Esser, who is also part of the open-source PHP development team, said
    versions of PHP 4 for Linux and Solaris prior to a new bug-fix 4.1.2
    release contain related vulnerabilities that could allow a hacker to
    gain control of servers running the software. Some releases of PHP 3
    exhibit similar security problems, including an incarnation of one bug
    that extends beyond Linux and Solaris to most platforms on which PHP
    is run, Esser said.
    In a report posted on the E-matters Web site and distributed through
    network security nailing lists, Esser said he was limiting his
    description of the bugs to avoid detailing methods by which hackers
    might exploit them.
    However, separate reports from security researches elsewhere today
    suggested that at least one program designed to automate the process
    of cracking PHP may already be available.
    Johannes Ullrich of the SANS Institute reported that software that
    appears to be a working exploit for the bugs in some PHP 4 releases is
    designed to allow its user to attack remote Web servers of their
    The X-Force research team at Internet Security Systems in Atlanta said
    today that it too had received a sample of the same exploit from the
    developers of the open source intrusion detection system known as
    "This exploit is believed to be circulating in the underground
    community and in use to a limited degree," ISS said. "X-Force predicts
    newer versions of this exploit may support exploit vectors covering
    additional operating systems."
    Both Ullrich and ISS said the rogue program they examined sometimes
    ran unreliably. However, ISS said its X-Force team had been able to
    break in to remote servers using the program "in a lab environment."
    Ullrich told Newsbytes that there had been "rumors" of a PHP exploit
    in the wild for a while, but that he didn't get his hands on an actual
    example until Tuesday.
    He said he can't confirm that the software does everything it claims
    to do, but that he was able to break in to a server running one
    release of PHP 4 and crash another.
    "So far, it does not appear that the exploit is in widespread use,"  
    Ullrich said.
    PHP is widely used by Web-hosting companies, and ISS said as many as
    46 percent of all Web servers on the Net may currently be running
    vulnerable versions of the software.
    Although only a small share of Web sites with PHP installed actually
    make use of the file-upload capabilities of the Web's HTTP (hypertext
    transfer protocol), many servers have file-upload support in PHP
    enabled anyway.
    PHP users are being urged to download the latest version of PHP - or
    patches for older releases - here: http://www.php.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 02:10:53 PST