Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
PHP Software Programming Apache

PHP Vulnerability Announced 47

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).
This discussion has been archived. No new comments can be posted.

PHP Vulnerability Announced

Comments Filter:
  • by mnordstr ( 472213 ) on Monday July 22, 2002 @03:31PM (#3932866) Journal
    Parse error: parse error, unexpected T_SL in /local/Web/sites/phpweb/downloads.php on line 81

    Huh??! Bad karma ;)
  • by Anonymous Coward
    They say the only difference between 4.2.1 and 4.2.2 is this fix, so it won't (or shouldn't anyway) break any of your scripts.
  • Why I love freebsd. (Score:1, Interesting)

    by mike13down ( 513643 )
    I'm not sure how long it took, but the freebsd ports have already been updated.
    Since the admins over at NYI.net showed me the light, I have been installing FreeBSD on every machine I can get my hands on, even if they are'nt mine.
  • by Anonymous Coward
    Download directly from here. Change the server name to a mirror closer to you if you want.

    http://uk.php.net/distributions/php-4.2.2.tar.bz 2
    or
    http://uk.php.net/distributions/php-4.2.2.t ar.gz
  • but... I have mirrored the PHP 4.2.2 tar/bz2 ball on my server (over DSL)... you can access it via FTP at closedsrc.org with anon/anon, or the link below:

    ftp://anon:anon@closedsrc.org/.

    The md5sum file is based on the md5 checksum provided by the FreeBSD port distinfo file.

    I know I'm asking for it...
  • by Anonymous Coward
    This is one of the most-installed Apache modules. If this was an IIS exploit you know it'd be on the front page. I don't really mind biased comments in the stories as much, but to actually HIDE news because it goes against the notion that Open Source is invincible is really pathetic.
    • by Anonymous Coward
      So True. It just helps establish that the Open Source and LinUCKS appologists are no different than the m$ft appologists
    • Here's one reason:

      Impact

      Both local and remote users may exploit this vulnerability to compromise
      the web server and, under certain conditions, to gain privileged access.
      So far only the IA32 platform has been verified to be safe from the
      execution of arbitrary code. The vulnerability can still be used on IA32
      to crash PHP and, in most cases, the web server.

      This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.
    • One question? Whats the response time from when the post hits bugtraq til the time there is a fix available just about everywhere? And compared to windows, the response time is? Hmmmmmmmm, ok then.
    • It's not the same sort of exploit as most IIS exploits. A IIS exploit gives someone access over an entire server. This exploit gives access to a shell which could read Apache-readable files and execute programs. It might even be able to write to /tmp. But no important files can be deleted or written to.
  • by Dr.Dubious DDQ ( 11968 ) on Monday July 22, 2002 @04:21PM (#3933233) Homepage

    If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

  • It sure would have been nice to have recieved this warning yesterday, before my linux box got rooted :( Fortunately, my unsuported sound card caused a kernel panic before they could do anything besides delete some of my kde themes. Props to the morse-code panic lights!

  • A bug has existed since Apache 2.0.39's release that causes PHP compilation to fail under certain conditions. I'm somewhat astonished that the PHP group neglected to repair it.

    A patch is publicly accessible via my webserver here [initialized.org] (http://www.initialized.org/patches/php4.2.2-apach e2.0.39.diff).

    To install the patch on a Unix machine and install PHP using apxs:

    (r) designates commands that must be executed as the superuser (root).
    1. Download the tarball. I recommend using us2.php.net, Hurricane Electric's mirror.
    2. Execute 'tar xvfz php-4.2.2.tar.gz' from a shell.
    3. Execute 'cd php-4.2.2'.
    4. Execute 'wget http://www.initialized.org/patches/php4.2.2-apache 2.0.39.diff'.
    5. Execute 'patch sapi/apache2filter/php_functions.c php4.2.2-apache2.0.39.diff'. This command will apply the patch.
    6. Execute './configure --with-apxs2'. You may specify further options (such as --with-mysql if your applications require MySQL support) following "--with-apxs2".
    7. (r) Execute 'make'.
    8. (r) Execute 'make install'.
    9. (r) Restart Apache. 'apachectl restart' is the most common method of doing so.
    If you have any questions or encounter difficulties, feel free to email me. ;)

    -- Scoria
    • I incorrectly assigned the "superuser" label to the command 'make'. You may execute the 'make' command either as root or a normal user.

      'make install', however, must be performed as root.
    • It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

      chregu
    • Apache2 is not supported by php at all, its just for the bleeding edge few. This bug was corrected in php's cvs long ago, and bugs.php.net even had a large banner telling everyone to not report the bug and get the latest snapshot. That worked for a while until the cvs of apache2 had some internal changes that required changes in php that in turn made the php cvs (and snapshots) require apache-2.0.40 (the unreleased cvs version).

      If you are going to be playing around on the bleeding edge, you mine as well checkout the cvs versions of both, skip the patching, and have some real fun :)

      --Matt
  • by Thing 1 ( 178996 ) on Monday July 22, 2002 @08:16PM (#3934412) Journal
    The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1.

    I can understand a certain amount of vulnerability after 420...

  • Anyone with anything intelligent to add to this discussion is either busy patching or cracking

    NOT posting

  • I upgraded to 4.2.2 in the middle of developing a site for a client (I know - big "No No") and it was TOTAL BADNESS My login procedure and several sections fo the site just stopped working. Apparently 4.2.2 configures the system such that redirects do not work the same. Needless to say this turned my dev server upsidedown in a mad rain of chaos. Had to do a rollback and just forget about it for now. Once the site works I'll reinstall and debug. caveat emptor.

For God's sake, stop researching for a while and begin to think!

Working...