Advisories say all versions of software vulnerable to memory bugs
vnunet.com, 28 Feb 2002
Website administrators using the popular PHP scripting software were warned yesterday to upgrade their systems to quash a number of "critical" security holes.
According to advisories from PHP.net, all versions of the software are vulnerable to memory allocation bugs in file upload support, that could allow a hacker to gain control of web servers using the software.
Currently, the finer details of the vulnerabilities have been kept under wraps in a bid to delay the appearance of exploit scripts on the hacker underground.
But it is thought that at least one tool may currently be in circulation that is capable of cracking a PHP server, although it may not be in widespread use yet.
An advisory from Internet Security Systems X-Force reads: "X-Force has verified that a functional exploit for one of the vulnerabilities exists and may be actively circulating in the computer underground."
The security firm also warned that the vulnerability could have a significant impact on the web.
Netcraft reports that as of January 2002, there are over 20.8 million active Apache installations, which account for 57 per cent of sites surveyed.
Meanwhile, Secure Space reports that PHP is the most popular Apache module available, with over 1.44 million active installations.
PHP is widely used as a website engine but is also offered as a service by many hosting companies, so many of those at risk may not be aware of the threat.
However, Johannes Ullrich of the Sans Institute said he had seen the exploit code and noted that it was buggy and often ineffective.
"Exploit or hoax? I was not quite able to get it to work..." Ullrich did manage to access one server and crash another.
"This exploit may be very sensitive to particular Apache/PHP configurations," he said, but "upgrading to PHP 4.1.1 appears to be the safe bet at this point."
More info is available at PHP.net. The Sans advisory is available here, and the ISS advisory is available here.
It has also been noted by Hackinthebox.org that a quick fix, without upgrading, is to turn off 'File_Uploads' in your PHP.ini file.
14.35 MBComputing podcast - Next-generation broadband Britain; and we report from Gartner's IT security summit More...
MoD admits to losing a hard drive containing up to... More...
Credit crunch sending shoppers online for cheaper presents More...
Mobile penetration rates expected to reach 95 per cent by... More...
Millions wasted on searching through clutter, says analyst More...
Do you agree?
Have your say on this article