Results 1 to 3 of 3

Thread: PHP vulnerability and workaround

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    140

    Exclamation PHP vulnerability and workaround

    Hello all.

    Php.net just published bad news: there is a vulnerability in the PHP interpreter that allows anybody to get the source code of any PHP page just by adding ?-s to any URL. This affects PHP 5.2, 5.3 and 5.4 when run as CGI - as is the case at Dathorn.

    New, patched, versions of PHP have been released for the 5.3 and 5.4 series. No patched version is available for 5.2, which is the default here around, and I believe there is none coming soon.

    You can (and really should) stop your source code from being displayed putting these lines in your .htaccess file:

    Code:
    <IfModule mod_rewrite.c>
    	RewriteEngine on
    	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    	RewriteRule ^(.*) $1? [L]
    </IfModule>

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    140

    Default

    Oh, here we go again. The folks at php-security.net are saying that the above rules might not be enough to prevent the trick. They do put forward a new set. I've opted for a 'belt and suspenders' strategy and put both sets into all my PHP sites.

    This is what I'm currently using:
    Code:
    <IfModule mod_rewrite.c>
    	RewriteEngine on
    	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    	RewriteRule ^(.*) $1? [L]
            RewriteCond %{QUERY_STRING} ^[^=]*$
            RewriteCond %{QUERY_STRING} %2d|\- [NC]
            RewriteRule .? - [F,L]
    </IfModule>

  3. #3
    Administrator AndrewT's Avatar
    Join Date
    Mar 2004
    Location
    Tulsa, OK
    Posts
    3,635

    Default

    Only some CGI implementations are vulnerable. Our investigation has not shown Apache with suphp to be vulnerable nor LiteSpeed's LSAPI with suexec, which is what we currently utilize. I've spoken to djn privately and he confirmed this as well. His concerns stemmed from sites hosted with other providers that were vulnerable.

    As always, we're continuing to monitor the situation and will be deploying the patched PHP 5.3 once it is available merely out of an abundance of caution. 5.3.12 does not sufficiently address this issue.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •