Welcome to WebmasterWorld Guest from 188.8.131.52
Backported Marcus' foreach() speedup patch from PHP 5.x.
Anybody running 5.0 in a live environment yet? I'm pushing one in the first week of January, 2005.
Date: Thu, 16 Dec 2004 14:57:54 +0100
Subject: [SA13481] PHP Multiple Vulnerabilities
From: Secunia Security Advisories <firstname.lastname@example.org>
PHP Multiple Vulnerabilities
SECUNIA ADVISORY ID:
Security Bypass, Exposure of sensitive information, Privilege escalation, System access
Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.
1) An integer overflow in the "pack()" function can be exploited to cause a heap-based buffer overflow by passing some specially crafted parameters to the function.
Successful exploitation bypasses the safe_mode feature and allows execution of arbitrary code with the privileges of the web server.
2) An integer overflow in the "unpack()" function can be exploited to leak information stored on the heap by passing specially crafted parameters to the function.
In combination with the first vulnerability, this may also allow bypassing of heap canary protection mechanisms.
3) An error within safe_mode when executing commands can be exploited to bypass the safe_mode_exec_dir restriction by injecting shell commands into the current directory name.
Successful exploitation requires that PHP runs on a multi-threaded Unix web server.
4) An error in safe_mode combined with certain implementations of "realpath()" can be exploited to bypass safe_mode via a specially crafted file path.
5) An error within the handling of file paths may potentially lead to file inclusion vulnerabilities. The problem is that "realpath()", which in some implementations truncate filenames, is used in various places to obtain the real path of a file.
6) Various errors within the deserialization code can be exploited to disclose information or execute arbitrary code via specially crafted strings passed to the "unserialize()" function.
7) An unspecified error in the "shmop_write()" function may result in an attempt to write to an out-of-bounds memory location.
8) An unspecified error in the "addslashes()" function causes it to not escape "\0" correctly.
9) An unspecified boundary error exists in the "exif_read_data()" function when handling long section names.
10) An unspecified error within "magic_quotes_gpc" may allow a one-level directory traversal when uploading files.
NOTE: Other potential security issues have also been reported.
Update to version 4.3.10 or 5.0.3.
PROVIDED AND/OR DISCOVERED BY:
1-6) Stefan Esser
6) Martin Eiszner
7-10) Reported by vendor.
Maybe I should look into an alternative for the accelerator that does get updated.
Here's what I did (from 4.3.3 to 4.3.10 on RH9):
tar -xzvf php-4.3.10.tar.gz
I then executed the libtool update command as instructed during the installation routine.
Killed me. I had to "make clean" in php-4.3.10 and reinstall php-4.3.3, then I restored my Apache2 binaries, modules, and config files from my daily backup to get the server up again.
The httpd daemon simply wouldn't start, and threw no errors at me.
Note that this isn't an RPM installation (so no rpm -Uvf) and it's not Slackware (so no updatepkg).
I didn't upgrade any Zend stuff, as I don't use it specifically. (The PHP and Zend sites said to upgrade if you used Zend Optimizer.)
Due to incompatibility of the previous version of Zend Optimizer with PHP 4.3.10, it is strongly recommended that owners of Zend Performance Suite, Zend Accelerator, Zend Studio Server, and Zend WinEnabler, upgrade to Zend Optimizer 2.5.7.
Did I err? Is there a 1-2-3 upgrade process other than the above? Thanks for any help.
It looks like PHP has a nasty bug, and one that can cause some potentially wicked problems with unwanted database access. Itís been discovered that PHP versions prior to 4.3.10 or 5.0.3 have problems connected with the way that serialisation and realpath commands are handled to gain escalated privileges. The result is that many web administrators are suffering problems from hackers. Fortunately, the problem has now been fixed.
The solution to the exploit is to upgrade to the latest version of PHP - either 4.3.10 or 5.0.3, depending on which thread you are running. The 4.3.10 build also includes some 5.x bugfixes and features which have been ported backwards.
Numerous threads do exist on WWorld and elsewhere containing warnings about upgrading tp PHP 4.3.10, and without doubt PHP.NET will be teeming with discussion about PHP 4.3.11 at the moment.
Apparently the only really urgent concern is to remove/update any phpBBB installation/s you may have, otherwise I'm cautiously confident that most other current PHP security warnings are no more than knee-jerk reactions ;)
Keeping a watchful eyte on WWorld Forum88 seems to be a wise move over the holidays ( [webmasterworld.com...] ). Speaking of holidays, we're shutting down early this morning to allow time for backups and other hooiday precautions.
Merry Crimble to all, and to all a Good Knight!
[edited by: engine at 11:05 am (utc) on Jan. 14, 2005]
[edit reason] formatting [/edit]