PDA

View Full Version : Security Problems In Php!


MarkWLI
12-20-2004, 05:34 PM
Numerous security holes in the scriptlanguage PHP

Because of a number of flaws in the scriptlanguage PHP, it's possible for an attacker to inject and execute his own code on a server. According to Stefan Esser, some of the 7 security holes can be used only with a valid user account while others open the possibility of attacks over a network.
Esser found the bugs during the development of "Hardened-PHP" which adds security functions to the already known PHP code base.

The function pack(), for example, "includes" an Integer Overflow through which someone can bypass the Safe Mode. Through a Integer Overflow in unpack(), it`s possible, in some cases, to read part of the memory, - for example the apache process. The function realpath() is also buggy - with pathnames that are too long someone can access any script (include).

Most important are two bugs in unserialize(), that when combined let an attacker access unmapped memory as well as the injection and execution of code over the network. According to Esser only a specific string is needed. PHP-applications like phpBB2, Invision Board, vBulletin and many others are therefore vulnerable for attacks because they transfer Cookies over this function into their own format. Detailed information can be found in the original advisory.

The problems can be found in PHP4 up to and including 4.3.9 and PHP5 up to and including 5.0.2 The PHP developers already offer new Versions in which many other bugs are removed.

They urgently advise all users to install these updates.
Now there is an "active" disscussion as to who found which bugs.
Shortly after Essers Advisory, Martin Eiszner published his own claiming to be the one who found the unserialize() whole first.

I hope that helps guys...

I suggest you think twice before using PHP :P, use ASP!

Links:
http://www.hardened-php.net/advisories/012004.txt
http://de.php.net/unserialize
http://www.php.net/downloads.php
http://www.derkeiler.com/Mailing-Lists/sec...04-12/0182.html (http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0182.html)

dudeqz
12-21-2004, 12:38 AM
IS THIS LIKE AN ADVERTISEMENT?

MarkWLI
12-21-2004, 03:33 PM
Thats not an advertisement, its a warning to have people pressure their hosts to upgrade their versions of PHP

.:Pure:.
12-21-2004, 03:36 PM
I use php and i never have a promblem but thanks for the info and besides im learning .asp which is harder than i though.