Re: An Alternate View of Recently Reported PHP Vulnerabilities

From: Goran Krajnovic (goran.krajnovicat_private)
Date: Sat Apr 05 2003 - 02:23:39 PST

Next message: Auriemma Luigi: "Abyss X1 1.1.2 remote crash"

Previous message: drG4njubas: "SignHere guestbook vulnerability."
In reply to: Steven M. Christey: "An Alternate View of Recently Reported PHP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 03, 2003 at 11:28:58PM -0500, Steven M. Christey wrote:
> As I said, I'm not familiar with PHP.  I welcome any clarifications or
> corrections.  But at the very least, it seems that Sir Mordred found 3
> new PHP functions that pose some non-zero risk for PHP applications,
> and maybe there are more out there.

There most certainly are more. Like I've already said, just browse through
the bug database at http://bugs.php.net and you'll find a large number of
bugs which result in the server process segfaulting. In fact, one of the
older ones I reported myself (http://bugs.php.net/15096) - in that case, all
it took for a segfault was sending a PHPSESSID cookie with the value of
session_id set to null. This was fixed in php 4.2.0.

My whole point in my first comment was that there is a large number of such
bugs in php, and they tend to change their behaviour on a version-to-version
basis. Posting each and every one here, even though they might be
exploitable, seemed pointless to me. And besides, the number of possible
different setups of PHP (different php versions, different web servers, cgi,
mod_php and compiled-in versions, etc) make it quite unlikely for an easy
and portable exploit (unlike, for example, SQL Slammer). The intruder would
first have to find a web site with an exploitable php application, and craft
an exploit particular for that site.

As a person who is both a php developer and who manages web servers, I don't
consider this to be a huge threat, but just another of php bugs which, when
reported to the bug database, will be fixed in future versions. Most
intrusions I've seen have been defacements done by simpler means through
popular forum and cms applications.

I agree that the reported vulnerability is a vulnerability and that it
potentially might be exploited, I just believe (famous last words...) the
threat level is low and that there are more such bugs known in php, and that
there are usually much much easier ways of exploiting web applications.

I hope this mail is not taken as criticising PHP developers as it is not
intended that way.

-- 
Goran Krajnović,  dipl. ing.
[ Goran.Krajnovicat_private ]
 Hrvatski Telekom - HThinet

Next message: Auriemma Luigi: "Abyss X1 1.1.2 remote crash"
Previous message: drG4njubas: "SignHere guestbook vulnerability."
In reply to: Steven M. Christey: "An Alternate View of Recently Reported PHP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 05 2003 - 08:54:09 PST