slashdot wrote:"The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
I suggest to
a) read http://www.hardened-php.net/advisories/012004.txt
b) everyone who isn't hosting him or herself contact their hosting company and makes them aware that these vulnerabilities exist and are critical. Email them the text-document ( a) ) and link to hardened PHP and ask them by when they will have updated their severs.
Last edited by patrikG on Tue Dec 21, 2004 4:14 am, edited 4 times in total.
Is this a trustworthy source? It doesn't seem to have any connection to the PHP project. I'd be very careful about downloading "security" patches from that site.
I was wondering about that myself. How reliable is this info. I'm also wondering about the serialize() function. Correct me if I'm wrong. Hackers can insert strings into serialized cookies like the one phpBB uses for user data? Can someone elaborate a little bit more about what exactly this means I'm a noob?
evilmonkey wrote:Is this a trustworthy source? It doesn't seem to have any connection to the PHP project. I'd be very careful about downloading "security" patches from that site.
None of the advisories proposed to install anything from sites other than php.net. Visit the php.net, there's announcement on the main page:
[15-Dec-2004] The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.
neophyte wrote:I was wondering about that myself. How reliable is this info.
Exploit for phpbb2 was sent to bugtraq on 17 Dec 2004 17:20:23 GMT. Does it convince you?
I'm also wondering about the serialize() function. Correct me if I'm wrong. Hackers can insert strings into serialized cookies like the one phpBB uses for user data?
Of course they can. Cookies are stored on client side, so they can be manipulated in any way a hacker wants.
Can someone elaborate a little bit more about what exactly this means I'm a noob?
This means the malicious person can pass specially crafted string as a cookie to your server. If your app tries to unserialize($_COOKIE['cookiename']); php crashes and dumps sensitive information out to the attacker. Due to the nature of the bug it's not only possible to crash the interpreter, but in theory it's possible to craft the string which, upon unserializing, would execute itself. Stefan Esser of php.net claims (he|his team) has found such a string for AMD64:
Hardened-PHP project advisory wrote:
...For AMD64 systems a string was developed that directly passes execution to code contained in the string itself.
I was wondering earlier what would happen with this security hole... Well this is what can happen with this security hole. Had to take down phpBB2 and make a number of other changes.
Last edited by neophyte on Wed Jan 12, 2005 9:13 am, edited 2 times in total.
I'm still trying to figure out how the unserialize issue could be a security threat... I completely understand your app crashing if you're expecting cookie data and it turns out to be something different, but most admins shouldn't have error messages going out to the browser on a production site. At least I would hope not.
As far as I can figure, someone replaces serialized cookie data with a serialized object. When the object is unserialized, PHP tries to find the class it belongs to so that it can rebuild it and then executes anything in its __wakeup function. However, if the class isn't in memory and the unserialize_callback_func hasn't been set in the php.ini file, this should still just result in an error... Maybe I'm barking up the wrong tree, but the only security threat I can see is someone not checking to make sure the cookie data is what they expected before trying to use it.
Can anyone explain this on a more technical level? I'm not looking to exploit, only to understand.
like mentioned by weirdan, its possible a specially crafted string could contain code which would be executed.
its not a matter of the specific php script executing the code using exec() or anything, its a bug in the php function itself. upon unserializing the data, this specially crafted string could "break out" of php entirely and it would be executed. this would happen inside the unserialize function.
think of it kinda like sql injection...now of course w/ sql, you check the data first. but w/ unserialize, you shouldnt have to. you should be able to check the data after unserializing it, but the problem occurs during the unserializing process.