Tuesday, May 8. 2012
Two versions of PHP were just released and fix different security issues. With that, I think the problems that caused a stir last week are now fixed. Read more here: PHP 5.4.3 and 5.3.13 fix several security issues.
Further reading on php.net:
Friday, May 4. 2012
So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and PHP.net has a RewriteRule online as a hotfix.
Update As mentioned on Eindbazen: The current fixes have a problem with whitespace BEFORE the actual Query String, i.e. “/?+-s”. This only applies in the wrapper environment outlined by eindbazen.net where command-line arguments are passed without double quotes to PHP, as in /usr/bin/php5 $@.
I want to discuss now shortly if any of these properly mitigate the issue.
So, right now you will probably want to use the following RewriteRule:
This is the easiest way to hot-fix the issue until a working PHP version is released.
In the meantime, CVE-2012-2311 has been issued to address the fact that PHP 5.4.2 and 5.3.12 (which I never tested, btw, but the patch is identical) do not properly fix the problem.
Read the original advisory here and my earlier article here.
Thursday, May 3. 2012
This article contains various edits to account for recent developments. Stay tuned.
Some folks found an interesting bug while playing CTF at Nullcon 2012. If you run PHP as a plain CGI or via mod_cgid (not FastCGI), you can pass command-line arguments like the “-s” switch (“show source”) to PHP via the query string.
For example, for any PHP-CGI script on your machine, you could see the source via “http://localhost/test.php?-s”. In this case, your web server’s access restrictions still apply. There is more parameters in the PHP-CGI binary (try “php-cgi -h” for a list) which can be used. Some are not available directly (for example, the infamous “-r” parameter that allows to directly pass code for execution doesn’t work), but others are ready for (ab-)use.
This constitutes an easy way to do the following:
Remote Code execution is universally possible and not mitigated by any current security setting or extension. There are workarounds (see below).
As the authors of the advisory point out, several months have passed since initial reporting. The PHP team does not currently seem to have a universally compatible fix, so there are several external ways for mitigation (also mentioned in the advisory). However, emergency releases are scheduled for tomorrow, May 4th, according to well-informed sources. It’s not quite clear why the fix took so long (and if the disclosure timeline in the advisory accurately reflects both sides of the incident), but the fact that someone accidentially disclosed the bug on reddit sure didn’t help.
Continue reading "New PHP-CGI exploit: CVE-2012-1823, PoC exploit"
Thursday, May 3. 2012
With the recently released PHP 5.4, the Suhosin patch and extension were removed from many Linux distribution packages (i.e., Debian et al.) and until three weeks ago, there was no possibility to compile and run the Suhosin extension under PHP 5.4. This little howto shall serve as installation instruction for Debian Wheezy users - your mileage may vary. I blogged about this here
First, make sure you have the appropriate PHP modules installed for your distribution. In Wheezy, you will need at least php5-common, php5-dev and one or more or these: libapache-mod-php5filter, php5-cli, php5-cgi
You can install them with
Next, we will download, compile and install the Suhosin extension. There is a .tar.gz download here: Github/stefanesser. Download this file to your /usr/local/src directory:
After this, you can run the usual configure command:
The last step is installation.
Now the extension is installed, but not yet configured or activated. Fortunately, Stefan has provided a default configuration file in the distribution tarball that you can just copy over.
cp suhosin.ini /etc/php5/conf.d
If you execute php -v, you should now see the following:
PHP 5.4.0-3 (cli) (built: Mar 21 2012 20:33:26)
After restarting your web server with /etc/init.d/apache2 restart, you should have a working Suhosin with PHP 5.4!
« previous page (Page 1 of 1, totaling 4 entries) next page »