PDA

View Full Version : PHP 4.3.10 - security fixes



nsc
12-17-2004, 04:47 PM
Click here (http://www.hardened-php.net/advisories/012004.txt) to open a text file with a security advisory published by HardenedPHP.net affecting all PHP 4.3.9 (and earlier) and PHP 5.0.2 (and earlier). The security problems are said to affect many famous PHP scripts, including phpBB 2.0.11.

Click here (http://developers.slashdot.org/developers/04/12/17/1641212.shtml) to read related discussion on Slashdot.org.

PHP versions 4.3.10 and 5.0.3 have been released, fixing the issues. See php.net (http://www.php.net).

My VPS runs 4.3.0 so I suppose it's vulnerable. Any advice on how to upgrade to 4.3.10?

wildjokerdesign
12-17-2004, 07:54 PM
You might check with WH on this. I know that I recieved a notice awhile back that a security issue had been identified in phpBB and that they had made some changes to my php instulations. Dont' think this is the same security problem but I do think they make updates and modifications if it has to do with security.

Armadillo
12-19-2004, 01:43 AM
I've read about those security issues.
I guess we can try to upgrade PHP ourselves, or wait for Westhost to do it.
Does anyone have any suggestions to get around those vulnerabilitys?

I've moved my config file out of the document root and set the chmod to 400. I dont know if that will make any difference.

wildjokerdesign
12-19-2004, 05:50 PM
I went ahead and contacted WH support about this and recieved the following reply from Jonathon Fillmore of the technical support team.

Our administrators are aware of the newly discovered vulnerabilities, and our programmers are currently already working on having the newer versions of PHP available to replace 4.3.0, which is what is currently installed. Although the vulnerabilities are rather difficult to exploit, it has raised the priority of having the new versions of PHP made available. I don't have an exact timeline as to when it will be, but it will happen as soon as we possibly can.

bortels
12-21-2004, 04:59 PM
Time to up that priority even more - per this Slashdot story:

http://it.slashdot.org/article.pl?sid=04/12/21/2135235&tid=220&tid=217&tid=169


A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

Apparently it's the PHP version that's vulnerable, not the phpBB...

wildjokerdesign
12-21-2004, 10:21 PM
I thought I would add a bit to what Armadillo had to say about moveing the config.php file. If you think you would feel better about this issue if the config.php file was moved then here is what you would need to do.

First open up common.php and change the path on the include for that config.php file. If you wanted to move your config.php file above the web root you do something like this:

include('/var/www/config.'.$phpEx);
By removeing the $phpbb_root_path for the include you are bypassing one of the concerns with the php security and phpBB. Now before you upload the change make sure the config.php file is moved or copied to /var/www/. Now upload your change and make sure all is still working. As Armadillo mentioned you can also chmod config.php to 400. If you want you could rename the config.php file to something else just make sure your changes in the common.php reflect that. If you simply copied your config.php file to the new location then don't forget to remove the original to complete the switch.

As always make backups of the original files incase when you test your changes your phpBB board does not work so you can revert to the original files.

Most likely if there is someone trying to exploit your phpBB script they are going to be looking for the standard phpBB format and set up so this may help although like Armadillo mentioned not sure if it would be fool proof. I have no idea of the exact method folks may be using to try and exploit this.

bortels
12-22-2004, 10:20 AM
Boom.

Well, don't know about you, but last night my latest-version phpBB was dooshed by the exploit - all my westhost sites were defaced due to the known-insecure version of PHP that is the system default.

To make matters worse, apparently the action of the worm is to agressively find .php and .htm(l) files and overwrite them - so even static pages on other sites under my directory were vandalized.

Westhost has known about this (assuming they read their own forums, or even halfheartedly follow the security forums they should be following) for at least a few days - it's disappointing that they didn't proactively deal with a security problem that's been discussed on slashdot. As for me - I'll be installing my own php today, and watching closely what westhost does to address the situation... not only from a security standpoint, but from a "we've dropped the ball for our customers" standpoint...

torrin
12-22-2004, 10:41 AM
As for me - I'll be installing my own php today, and watching closely what westhost does to address the situation... not only from a security standpoint, but from a "we've dropped the ball for our customers" standpoint...

Could you post how you do it? I'd like to do that also. Right now, I'm very afraid that my site will be next.

bortels
12-22-2004, 11:34 AM
If you don't want lots of special stuff (like image support and such), php is a pretty easy install (which is why it was disappointing that live chat support told me they'd upgrade the system php in "a week or so" - after incorrectly telling me that upgrading to phpBB 2.0.11 would stop the exploit [I was running 2.0.11 already]) - I'll take notes and post if I run into any issues...

torrin
12-22-2004, 11:41 AM
Thanks. I'll try it tonight when I get home. Until then, I closed up my forums and moved the files out of internet accessable space. Hopefully this exploit doesn't target other php type applications.

bortels
12-22-2004, 01:04 PM
Here's my php4 install log (including flex and bison, needed to make php but unavailable in the stock system tools). Took me about an hour to find and build it all - which is why "a week or two" is disappointing...

This install plan puts files in a "usr" directory under your home directory - the permissions in /usr/local are "broken" in that you don't have write access to some of the php libraries - so you can't replace the original php, you can only make a new one and use that version instead.

You'll want to change YOURUSERNAME to your actual username, of course...



wget http://mirrors.kernel.org/gnu/bison/bison-1.875.tar.gz
tar -xzf bison-1.875.tar.gz
cd bison-1.875
./configure --prefix=/home/YOURUSERNAME/usr && make && make install
ln -s /home/YOURUSERNAME/usr/share/bison /usr/local/share/bison
cd

wget http://mirrors.kernel.org/gnu/non-gnu/flex/flex-2.5.4a.tar.gz
tar -xzvf flex-2.5.4a.tar.gz
cd flex-2.5.4
./configure --prefix=/home/YOURUSERNAME/usr && make && make install
cd

wget http://us4.php.net/get/php-4.3.10.tar.bz2/from/this/mirror
bunzip2 php-4.3.10.tar.bz2
tar -xf php-4.3.10.tar
cd php-4.3.10
./configure --prefix=/home/YOURUSERNAME/usr && make && make install

Disclaimer - hey, it worked for me. No promises. This should be entirely non-destructive - since it doesn't (and can't) replace the original system binaries. Once installed, you'll want to add /home/YOURUSERNAME/usr/bin to your path...

EDIT: Garrr - I spoke too soon. Seems the apache modules directory is *also* owned by root, and non-writable by us. So you can build it, but making the stock apache use it is non-trivial. I'll post if I can find a workaround (other than running your own apache). I think I can download a fresh apache, compile it, make the module, and then point the system apache to that module...

torrin
12-22-2004, 02:39 PM
We have access to the httpd.conf file. Can you change that to point to a new modules directory?

bortels
12-22-2004, 03:36 PM
I believe so. That's the plan, anyway.

Armadillo
12-22-2004, 11:13 PM
Thanks for posting the instructions Wildjoker.

On upgrading php, in phpinfo is a line called "Configure Command". Couldnt that be copied and pasted to set up a newer version of php with the same features that we have now?

The new virus is not supposed to effect 2.0.11 of phpBB, but bortels was hacked anyway. So, just to be safe, I renamed my phpBB directory and made a new directory with a index.php with a holiday greeting.
I'll keep the forum offline over the holidays so I dont have to worry about it.

webbo
12-23-2004, 05:18 AM
I think everyone would appreciate an "official" response from WestHost on this matter. I'm suprised none has been offered so far given that customers have been affected by the vulnarability.

From what I've read the security risk is actually in PHP not PHPBB itself so whilst WH may have made some changes to the bundled PHPBB installation (don't recall myself) there's nothing to say customers won't be affected in the future with other security issues that exploit the same flaw.

I've tried removing PHP from a VPS account before and manually installing PHP 4.3.10 but you can only compile (configure) PHP with basic libraries. For example, a phpinfo() on my existing 4.3.0 installation shows that I have access to PDFLib libraries. I couldn't enable these in a new installation.

In the end I gave up because of all the additional libraries that were needed.

C'mon WH - PHP 4.3.10 is out now, I know it's easier said than done, but I'm sure you guys can pull it off :D

philburns
12-24-2004, 07:38 PM
And meanwhile, while I was tucked up in bed with flu my website slowly vanished too :(

wildjokerdesign
12-26-2004, 12:41 PM
If you are reading this thread you may also check out a post by me titled Keep an eye on your Bandwidth Usage.

It should be pretty close to the top of this forum.