PHP vulnerability and workaround

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • djn
    Senior Member
    • Mar 2004
    • 140

    PHP vulnerability and workaround

    Hello all.

    Php.net just published bad news: there is a vulnerability in the PHP interpreter that allows anybody to get the source code of any PHP page just by adding ?-s to any URL. This affects PHP 5.2, 5.3 and 5.4 when run as CGI - as is the case at Dathorn.

    New, patched, versions of PHP have been released for the 5.3 and 5.4 series. No patched version is available for 5.2, which is the default here around, and I believe there is none coming soon.

    You can (and really should) stop your source code from being displayed putting these lines in your .htaccess file:

    Code:
    <IfModule mod_rewrite.c>
    	RewriteEngine on
    	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    	RewriteRule ^(.*) $1? [L]
    </IfModule>
  • djn
    Senior Member
    • Mar 2004
    • 140

    #2
    Oh, here we go again. The folks at php-security.net are saying that the above rules might not be enough to prevent the trick. They do put forward a new set. I've opted for a 'belt and suspenders' strategy and put both sets into all my PHP sites.

    This is what I'm currently using:
    Code:
    <IfModule mod_rewrite.c>
    	RewriteEngine on
    	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    	RewriteRule ^(.*) $1? [L]
            RewriteCond %{QUERY_STRING} ^[^=]*$
            RewriteCond %{QUERY_STRING} %2d|\- [NC]
            RewriteRule .? - [F,L]
    </IfModule>

    Comment

    • AndrewT
      Administrator
      • Mar 2004
      • 3653

      #3
      Only some CGI implementations are vulnerable. Our investigation has not shown Apache with suphp to be vulnerable nor LiteSpeed's LSAPI with suexec, which is what we currently utilize. I've spoken to djn privately and he confirmed this as well. His concerns stemmed from sites hosted with other providers that were vulnerable.

      As always, we're continuing to monitor the situation and will be deploying the patched PHP 5.3 once it is available merely out of an abundance of caution. 5.3.12 does not sufficiently address this issue.

      Comment

      Working...