Skip to comments.
PHP Scripting flaw threatens Web servers
ZDNet News ^
| July 22, 2002, 11:30 AM PT
| rt Lemos
Posted on 07/22/2002 9:49:56 PM PDT by Bush2000
PHP Scripting flaw threatens Web servers
A flaw found in newer versions of the PHP Web server scripting language could allow attackers to crash, and in some cases control, computers over the Internet, an open-source developer group announced Monday. The vulnerability affects versions 4.2.0 and 4.2.1 of PHP, according to the PHP Group. The flaw compromises different computer architectures in different ways: Web servers running on Intel IA-32 hardware could crash, while other systems, including Sun Microsystems' Solaris, could allow the attacker to infiltrate the computer.
The flaw occurs because of a problem in the way PHP handles the memory allocated for data recovered from customer forms on Web pages. Such data is known as POST data, after the HTTP command name, and could be formatted by an attacker in a way to compromise the Web server.
"If you are running PHP 4.2.x, you should upgrade as soon as possible," Stefen Esser, a member of the PHP Group and the developer who discovered the scripting flaw, wrote in the advisory. "If you cannot upgrade for whatever reason, the only way to workaround this is to disable all kind of POST requests you server."
The flaw is the second major security hole to affect PHP this year. In February, another vulnerability that affected more versions of the scripting server and that could have led to a greater number of compromises was announced.
The PHP Group has released a new version, PHP 4.2.2, that corrects the flaw.
Once known as Personal Homepage and now as the PHP: Hypertext Preprocessor, PHP is a key part of the standard open-source solution for Web servers. The collection of software making up the solution is commonly referred to as LAMP, where each letter stands for the software component used: the Linux operating system, the Apache Web server, the MySQL database, or the PHP scripting language. Occasionally, a different programming language, Python, is used as the scripting component in LAMP configurations.
TOPICS: Business/Economy; Front Page News; Technical
KEYWORDS: bug; flaw; php; security
I'm soooooooo shocked... /sarcasm
1
posted on
07/22/2002 9:49:56 PM PDT
by
Bush2000
To: Bush2000
The PHP Group has released a new version, PHP 4.2.2, that corrects the flaw. Its already fixed. M$ never worked that fast. That's why I gave up on them.
Mac OS X - not effected.
Sun & Linux probably effected - so get the php update. What's the big f'ing deal? If this were M$, the update wouldn't come in a timely manner, and when it finally came out, it would not be free. (BTW - has M$ ever fixed their FrontPage extensions vulnerability?-- FP can crash and burn the web server-- read somewhere that -- after all these years -- it is still not fixed.)
2
posted on
07/22/2002 10:26:49 PM PDT
by
Utopia
To: Utopia
Its already fixed. M$ never worked that fast. That's why I gave up on them.
Making a patch available is only part of fixing the solution, script kiddy. Now, you have to get it out to all of the affected boxes. Who cares if a patch exists. The patch won't be applied on all affected machines in time to protect all machines from being exploited ... Your kneejerk defense is wearing thin...
3
posted on
07/23/2002 12:20:52 AM PDT
by
Bush2000
To: Incorrigible; Dominic Harr
bump
4
posted on
07/23/2002 2:08:52 PM PDT
by
Bush2000
To: Bush2000
Don't bump me, in my mind this just makes you look pathetic.
I'd guess people ignored this thread for a reason -- you're a joke around here, if I'm not mistaken.
Gee, anyone wonder why Mr. B2k never posts MS issues, since they come weekly?
But he does post the rare open-source bug. How odd.
I guess a PHP bug is rare enough to be considered 'news', whereas an MS bug is pretty much just an expected regular occurance. But I'm not sure how this is a 'FreeRepublic' kind of post. You're only posting it trying to make a pathetic defense of MS which no one buys.
When you posted that Apache bug that was the first one in 4 years, and then tried to claim that Apache was no better than IE, I thought you *had* to notice you've become a joke. But this makes me wonder if you're at all aware of how others see you.
I think you should post more of these. The folks who read this will see how MS *should* act, patching it quickly, and be even more critical of MS's handling of bugs and exploits!
But hey, don't let me stop you from embarrasing yourself. You were saying something about it not mattering that MS has far, far more serious software problems?
To: Dominic Harr
I guess a PHP bug is rare enough to be considered 'news', whereas an MS bug is pretty much just an expected regular occurance. But I'm not sure how this is a 'FreeRepublic' kind of post. You're only posting it trying to make a pathetic defense of MS which no one buys.
Is it possible that less open source bugs are found because less people use open source stuff? What's the market break down? I heard last week on Rush that Mac has about 5% of the market. I know MS has a big share of the market but how much open source stuff is being used?
I never heard of PHP, and figured it probably didn't apply since we mostly use Apache for our web stuff, but it turned out that one guy here uses PHP for some of his stuff.
Remembering Edwin Abbot, I would say most code can probably be exploited. Usually, by people from Scandinavia. I'd imagine there's not much else to do there.
To: Duke Nukum
Is it possible that less open source bugs are found because less people use open source stuff? Apache is the most popular web server, at about 65% of the market. It's had one exploit in 4 years.
Microsoft's IIS has about 35% of the market -- mostly with the dying dot coms -- and it has a new major exploit about every 2 weeks.
PHP is very popular. I don't off hand know the stats -- I don't use it myself.
Debbugging software is like finding the spelling and punctuation errors in a story.
More eyeballs means you find the errors faster.
The open souce rule is that with enough eyeballs, all bugs are shallow.
To: Dominic Harr; Duke Nukum
[Apache's] had one exploit in 4 years...
This, of course, is yet another of your outrageous
LIES -- easily exposed by searching for "Apache" on
http://online.securityfocus.com/.
8
posted on
07/23/2002 6:30:32 PM PDT
by
Bush2000
To: Duke Nukum; Bush2000
This, of course, is yet another of your outrageous LIES -- easily exposed by searching for "Apache" on http://online.securityfocus.com/. The correct link he doesn't want you to see is Security Focus Vulns by Vendor. It can be pretty hard to find stuff on that site, so he's banking on no one checking.
Fortunately, I can cut and paste the list here.
This is about the half-dozenth time I've posted this list. He knows he's lying. He's just hoping most folks won't check.
Apache 2.0 vulns for the last 5 years:
One trivial, one serious.
Now,
Vulns for Microsoft IIS 5.0
If you want another hoot, do a search on Win2000 v. Linux.
To: Dominic Harr
Then I guess you forgot to mention these, dumbass ...
2002-07-10: Apache Tomcat DOS Device Name Cross Site Scripting Vulnerability
2002-06-20: Apache Tomcat Null Character Malformed Request Denial Of Service Vulnerability
2002-06-19: Apache Tomcat Web Root Path Disclosure Vulnerability
2002-06-17: Apache Chunked-Encoding Memory Corruption Vulnerability
2002-06-12: Apache Tomcat JSP Engine Denial of Service Vulnerability
2002-05-29: Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability
2002-05-29: Apache Tomcat Example Files Web Root Path Disclosure Vulnerability
2002-05-29: Apache Tomcat RealPath.JSP Malformed Request Information Disclosure Vulnerability
2002-04-23: Apache Tomcat Servlet Path Disclosure Vulnerability
2002-04-19: Apache Tomcat System Path Information Disclosure Vulnerability
2002-03-25: Apache Double-Reverse Lookup Log Entry Spoofing Vulnerability
2002-03-21: Apache Win32 Batch File Remote Command Execution Vulnerability
2002-02-19: Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability
2002-02-07: Apache 2 for Windows php.exe Path Disclosure Vulnerability
2002-02-07: Apache 2 for Windows OPTIONS request Path Disclosure Vulnerability
2002-01-06: Apache Non-Existent Log Directory Denial Of Service Vulnerability
2002-01-04: Apache Win32 PHP.EXE Remote File Disclosure Vulnerability
2002-01-04: Apache HTTP Request Unexpected Behavior Vulnerability
2001-11-28: Apache Split-Logfile File Append Vulnerability
2001-11-08: Apache mod_usertrack Predictable ID Generation Vulnerability
2001-09-10: MacOS X Client Apache Directory Contents Disclosure Vulnerability
2001-08-16: Jakarta Tomcat Error Message Information Disclosure Vulnerability
2001-08-12: Apache Mod ReWrite Rules Bypassing Image Linking Vulnerability
2001-08-09: Apache Server Address Disclosure Vulnerability
2001-07-10: Apache Possible Directory Index Disclosure Vulnerability
2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability
2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability
2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability
2001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability
2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability
2000-12-06: Apache Web Server with Php 3 File Disclosure Vulnerability
2000-09-29: Apache Rewrite Module Arbitrary File Disclosure Vulnerability
2000-09-07: SuSE Apache WebDAV Directory Listings Vulnerability
2000-07-20: Apache Tomcat 3.1 Path Revealing Vulnerability
2000-07-20: Apache Tomcat Snoop Servlet Information Disclosure Vulnerability
2000-07-20: Apache Jakarta-Tomcat /admin Context Vulnerability
2000-05-31: Apache HTTP Server (win32) Root Directory Access Vulnerability
1999-09-25: NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
1998-09-03: Multiple Vendor MIME Header DoS Vulnerability
1998-01-06: Apache Web Server DoS Vulnerability
1997-01-12: Apache mod_cookies Buffer Overflow Vulnerability
1996-12-10: Multiple Vendor nph-test-cgi Vulnerability
1996-04-01: Multiple Vendor test-cgi Directory Listing Vulnerability
1996-03-20: phf Remote Command Execution Vulnerability
10
posted on
07/23/2002 8:21:48 PM PDT
by
Bush2000
To: Bush2000
Apache Tomcat, Apache Jakarta, MacOSX
Those vulns are not the Apache Web Server. You've just falsified a report, there, fella.
Those vulns are for about a dozen other Apache tools. Not really even related to the web server.
It's funny -- Tomcat is what you have typically use to run servlets with IIS, in fact!
You don't have a clue about any of this, do you. Or you know you're lying, and are doing so only to try and sell MS?
To: All
F.Y.I.
It's very simple.
Go here, to
and where it says, 'Vendor' select Apache. Where it says, 'Title' select Apache. Where it says, 'Version' select the newest, 2.0.
Then do the same with 'Microsoft', 'IIS' and '5.0'.
It's easy if you want to!
And you can really have some fun -- do the same search for WinXP!
To: Dominic Harr
Those vulns are for about a dozen other Apache tools. Not really even related to the web server.
Run and hide, Harr. They're all components that run as part of Apache. You can try to redefine what "Apache is" ... but, in the end, it's all too Clintonian -- even for you.
13
posted on
07/23/2002 9:38:19 PM PDT
by
Bush2000
To: Bush2000
You falsified that error list.
*That* is Clintonian.
To: Dominic Harr
You falsified that error list.
Whatsamatter, Harr? Portfolio tanking? Angry at the world? You insolent sack of sh*t. These bug reports are readily available to anybody who wants to look.
15
posted on
07/23/2002 9:53:11 PM PDT
by
Bush2000
To: Bush2000
These bug reports are readily available to anybody who wants to look. Exactly right.
Heck, anyone who reads the list you posted will be able to see what you did, in fact.
You pulled up a list of *all* vulns related to *all* software from the Apache Group, instead of the vulns for the Apache Web Server.
And most ironic, it was still a shorter list than just the bugs for IIS 5.0!!!!
Ha!
So should we compare that to a list of *all* vulns related to *all* software from MS?
Nah, that would clog the thread up too much . . .
You deliberately falsified that report. That's pathetic.
To: Bush2000
Pass the popcorn, please. I just love OS holy wars.
17
posted on
07/23/2002 10:00:52 PM PDT
by
strela
To: Dominic Harr
You deliberately falsified that report. That's pathetic.
What an aquamaroon. Running a query on their server ain't "falsifying that report", braindead troll.
18
posted on
07/23/2002 10:24:12 PM PDT
by
Bush2000
To: Bush2000
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
