IMPORTANT: PHP Vulnerabilities Announced!

Where we keep all the boring tidbits about the PHPDN site, the news, and what not.

Moderator: General Moderators

Post Reply
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

IMPORTANT: PHP Vulnerabilities Announced!

Post by patrikG »

IMPORTANT: PHP Vulnerabilities Announced!

Unserialize() is, among other vulnerabilities, affected. (see: http://www.hardened-php.net/ )

Examples of vulnerable scripts:

- phpBB2
- Invision Board
- vBulletin
- Woltlab Burning Board 2.x
- Serendipity Weblog
- phpAds(New)
- ...

source: read http://www.hardened-php.net/advisories/012004.txt
For some background:
slashdot wrote:"The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
source: http://developers.slashdot.org/article. ... 17/1641212

I suggest to
a) read http://www.hardened-php.net/advisories/012004.txt
b) everyone who isn't hosting him or herself contact their hosting company and makes them aware that these vulnerabilities exist and are critical. Email them the text-document ( a) ) and link to hardened PHP and ask them by when they will have updated their severs.
Last edited by patrikG on Tue Dec 21, 2004 4:14 am, edited 4 times in total.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

That does appear to be very serious indeed. Let's just hope nobody creates a virus to exploit php based webservers worldwide.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Joe wrote:That does appear to be very serious indeed. Let's just hope nobody creates a virus to exploit php based webservers worldwide.
which is highly unlikely :(
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Well phenom, you never know. There is millions of viruses which attack web servers out there so I would not be suprised.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Is this a trustworthy source? It doesn't seem to have any connection to the PHP project. I'd be very careful about downloading "security" patches from that site.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

I was wondering about that myself. How reliable is this info. I'm also wondering about the serialize() function. Correct me if I'm wrong. Hackers can insert strings into serialized cookies like the one phpBB uses for user data? Can someone elaborate a little bit more about what exactly this means I'm a noob?

Thanks
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

evilmonkey wrote:Is this a trustworthy source? It doesn't seem to have any connection to the PHP project. I'd be very careful about downloading "security" patches from that site.
None of the advisories proposed to install anything from sites other than php.net. Visit the php.net, there's announcement on the main page:
[15-Dec-2004] The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

neophyte wrote:I was wondering about that myself. How reliable is this info.
Exploit for phpbb2 was sent to bugtraq on 17 Dec 2004 17:20:23 GMT. Does it convince you?
I'm also wondering about the serialize() function. Correct me if I'm wrong. Hackers can insert strings into serialized cookies like the one phpBB uses for user data?
Of course they can. Cookies are stored on client side, so they can be manipulated in any way a hacker wants.
Can someone elaborate a little bit more about what exactly this means I'm a noob?
This means the malicious person can pass specially crafted string as a cookie to your server. If your app tries to unserialize($_COOKIE['cookiename']); php crashes and dumps sensitive information out to the attacker. Due to the nature of the bug it's not only possible to crash the interpreter, but in theory it's possible to craft the string which, upon unserializing, would execute itself. Stefan Esser of php.net claims (he|his team) has found such a string for AMD64:
Hardened-PHP project advisory wrote: ...For AMD64 systems a string was developed that directly passes execution to code contained in the string itself.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Thanks for the elaboration Weirdan.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

DONT LET THIS HAPPEN TO YOU....

Post by neophyte »

Image
I was wondering earlier what would happen with this security hole... Well this is what can happen with this security hole. Had to take down phpBB2 and make a number of other changes. :oops: :( :x :evil:
Last edited by neophyte on Wed Jan 12, 2005 9:13 am, edited 2 times in total.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: DONT LET THIS HAPPEN TO YOU....

Post by Weirdan »

neophyte wrote: I was wondering earlier what would happen with this security hole... Well this is what can happen with this security hole.
It isn't the hole in php, it's web-worm exploiting hilight bug in phpBB (fixed in 2.0.11)
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Glad to know that.

Weirdan Rules! Thanks again for the explanation!
User avatar
skehoe
Forum Commoner
Posts: 59
Joined: Sun Dec 22, 2002 5:57 am
Location: Denver

Post by skehoe »

I'm still trying to figure out how the unserialize issue could be a security threat... I completely understand your app crashing if you're expecting cookie data and it turns out to be something different, but most admins shouldn't have error messages going out to the browser on a production site. At least I would hope not.

As far as I can figure, someone replaces serialized cookie data with a serialized object. When the object is unserialized, PHP tries to find the class it belongs to so that it can rebuild it and then executes anything in its __wakeup function. However, if the class isn't in memory and the unserialize_callback_func hasn't been set in the php.ini file, this should still just result in an error... Maybe I'm barking up the wrong tree, but the only security threat I can see is someone not checking to make sure the cookie data is what they expected before trying to use it.

Can anyone explain this on a more technical level? I'm not looking to exploit, only to understand.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

like mentioned by weirdan, its possible a specially crafted string could contain code which would be executed.

its not a matter of the specific php script executing the code using exec() or anything, its a bug in the php function itself. upon unserializing the data, this specially crafted string could "break out" of php entirely and it would be executed. this would happen inside the unserialize function.



think of it kinda like sql injection...now of course w/ sql, you check the data first. but w/ unserialize, you shouldnt have to. you should be able to check the data after unserializing it, but the problem occurs during the unserializing process.

im happy though, my host upgraded today :)
Post Reply