http://www.newsbytes.com/news/02/174818.html By Steven Bonisteel, Newsbytes KOLN, GERMANY, U.S.A., 27 Feb 2002, 12:38 PM CST Web site operators who use server-side scripting software known as PHP are being urged today to upgrade to a new release that does not contain recently discovered - and apparently serious - security holes. Stefan Esser of Germany-based E-matters, a Web development company, reported that a number of memory-allocation bugs were found in PHP code that handles file uploads, also known as multipart/form-data Post requests. Esser, who is also part of the open-source PHP development team, said versions of PHP 4 for Linux and Solaris prior to a new bug-fix 4.1.2 release contain related vulnerabilities that could allow a hacker to gain control of servers running the software. Some releases of PHP 3 exhibit similar security problems, including an incarnation of one bug that extends beyond Linux and Solaris to most platforms on which PHP is run, Esser said. In a report posted on the E-matters Web site and distributed through network security nailing lists, Esser said he was limiting his description of the bugs to avoid detailing methods by which hackers might exploit them. However, separate reports from security researches elsewhere today suggested that at least one program designed to automate the process of cracking PHP may already be available. Johannes Ullrich of the SANS Institute reported that software that appears to be a working exploit for the bugs in some PHP 4 releases is designed to allow its user to attack remote Web servers of their choice. The X-Force research team at Internet Security Systems in Atlanta said today that it too had received a sample of the same exploit from the developers of the open source intrusion detection system known as Snort. "This exploit is believed to be circulating in the underground community and in use to a limited degree," ISS said. "X-Force predicts newer versions of this exploit may support exploit vectors covering additional operating systems." Both Ullrich and ISS said the rogue program they examined sometimes ran unreliably. However, ISS said its X-Force team had been able to break in to remote servers using the program "in a lab environment." Ullrich told Newsbytes that there had been "rumors" of a PHP exploit in the wild for a while, but that he didn't get his hands on an actual example until Tuesday. He said he can't confirm that the software does everything it claims to do, but that he was able to break in to a server running one release of PHP 4 and crash another. "So far, it does not appear that the exploit is in widespread use," Ullrich said. PHP is widely used by Web-hosting companies, and ISS said as many as 46 percent of all Web servers on the Net may currently be running vulnerable versions of the software. Although only a small share of Web sites with PHP installed actually make use of the file-upload capabilities of the Web's HTTP (hypertext transfer protocol), many servers have file-upload support in PHP enabled anyway. PHP users are being urged to download the latest version of PHP - or patches for older releases - here: http://www.php.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 02:10:53 PST