PHP Vulnerabilities Announced

Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."

Arrrrgh

[daveschroeder]

And of course, Mac OS X and Mac OS X Server 10.3.7 contain php 4.3.2...

Secunia advisory

[FuzzyBad-Mofo]

http://secunia.com/advisories/13481/ [secunia.com]

Question/Comment

[realdpk]

Question:

"Note: Due to a problem with earlier versions of Zend Optimizer, its users are urged to upgrade to the latest version."

I can't seem to find any information on what this problem may be. No release notes or anything. Any clues?

Comment:

PHP.net's download scheme is worse than Sourceforge's if you can believe that. Therefore, here are some unPHP.net-ized URLs:

US2 [php.net]
Belgium [php.net]
Finland2 [php.net]

You'll find you can actually right-click and save these and they won't prompt you for a filename "mirror" or something useless like the rest of PHP's download links.

Re:Arrrrgh

[Nomikos]

And of course, Mac OS X and Mac OS X Server 10.3.7 contain php 4.3.2...

Here: http://www.entropy.ch/software/macosx/php/ [entropy.ch] , are usually uptodate and easy installers for PHP on OS X; he's at 4.3.9 still but I trust the newer one will be up soon.
They're really fire&forget installers, great for people like me :-)

Re:OMG

[vluther]

Forum defacing is for the script kiddies, I've seen variations of the unserialized exploit used, to upload files into paths writeable by the apache user, and reading files accessible by the apache user, you can do mysqldumps, upload zombie scripts etc, one of my clients was made part of a zombie network as the user nobody, and redirect scripts were added to many posts, as the posts are stored in the db, and the kid found the mysql user/pass to access the forum.

Hurrah for Nightly MySQL dumps.

FreeBSD port already updated

[Anonymous Coward]

# $FreeBSD: ports/lang/php4/Makefile,v 1.81 2004/12/16 11:37:23 ale Exp $
#

PORTNAME= php4
PORTVERSION= 4.3.10

Upgraded to 4.3.10...

[Bravid98]

And it seems to have compatibility issues. It ended up breaking custom code of mine, as well as Invision Power Board. This was compiled from scratch. Hopefully they'll quickly release a .11.

Re:It's always a mixed bag.

[Greger47]

Err?

Like 90% or so of the modules included with the basic PHP distribution are just wrappers around standard libraries, no code is duplicated nor functionality reinvented. The wrapper is there to make the libraries easy to use.

The 2 libraries you mention happen to be bundled with the distribution for convenience, but you are free to use external versions supplied by your OS installation or perhaps yourself.

/greger

Re:It's always a mixed bag.

[mr.dreadful]

from "The Top 20 IT mistakes to avoid" published by Infoworld

http://www.infoworld.com/article/04/11/19/47FEto p2 0_5.html

18. Underestimating PHP

IT managers who look only as far as J2EE and .Net when developing scalable Web apps are making a mistake by not taking a second look at scripting languages -- particularly PHP. This scripting language has been around for a decade now, and millions of Yahoo pages are served by PHP each day.

Discussion of PHP scalability reached a high-water mark in June, when the popular social-networking site Friendster finally beat nagging performance woes by migrating from J2EE to PHP. In a comment attached to a Weblog post about Friendster's switch to PHP, Rasmus Lerdorf, inventor of PHP, explained the architectural secret of PHP's capability of scaling: "Scalability is gained by using a shared-nothing architecture where you can scale horizontally infinitely."

The stateless "shared-nothing" architecture of PHP means that each request is handled independently of all others, and simple horizontal scaling means adding more boxes. Any bottlenecks are limited to scaling a back-end database. Languages such as PHP might not be the right solution for everyone, but pre-emptively pushing scripting languages aside when there are proven scalability successes is a mistake.

Re:Hypocrisy of slashot

[GrindKore]

Actually Windows 2003 Server does not have IIS, FTP, POP3, DNS and other services installed by default. After you setup IIS all ASP, ASP.NET, Front Page services are still disabled and administrator has to turn them on individual basis. So please next time you hand off a 'clue' leave one for yourself.

warning! 5.0.1 - 5.0.3 "breaks" EMPTY() function

[phpsucks]

Watch out when upgrading!

<?
$a = 'foobar';
print empty($a->nothere) ? 'empty' : 'not empty';
?>

This code prints 'empty' with 5.0.1, but 'not empty' with 5.0.3.

You must check all your code for the use of empty() with a string!

I wish PHP would warn everyone about this sort of thing.

Here is the man page...nothing said about it: http://www.php.net/empty [php.net]

Re:Hypocrisy of slashot

[GrindKore]

Windows 2003 Server Web Edition is low cost version of standard edition. It's marketed for web hosting and does not have active directory and media streaming capabilities, it's limited to maximum of 2-way SMP and 2Gb of ram. Follow the link below for comparison table. http://www.microsoft.com/windowsserver2003/evaluat ion/features/compareeditions.mspx

Not just for script kiddies this time

[Anonymous Coward]

I don't have an account, so chances are no one will ever read this. However, if you are reading this, then I thank you.

This exploit has been known about in select hacker groups since late October. The first script for the kiddies was released last weekend (December 11 - 12) and it most certainly originated in Brazil. The group responsible for the initial wave of terror call themselves "H4ck3rsBr", and most of the defacements were done by none other than the infamous "S8ldier". No doubt he wrote a proof of concept for phpBB right away, seeing as how he's always first to the scene with new phpBB exploits involving PHP.

If you're running forum software that sits on top of PHP, upgrade PHP before it's too late. These guys took out a friend's Linux server because he caught them right in the middle of defacing his clients' websites (just index.html's). They had a rootkit installed and made sure to cause as much damage as possible before being booted off. After backing up the filesystem, re-booting the machine failed, as the partition table was toast and most of the important data sectors had been trashed as well.

I'm glad that the PHP team decided to fix this, but I'm also hopeful that the phpBB, vBulletin, etc. teams will start validating their input a little more carefully.