PHP Vulnerability Notification
Greg Rundlett
greg at freephile.com
Fri Dec 24 01:27:01 EST 2004
Ted Roche wrote:
> On Dec 23, 2004, at 12:11 PM, Jonathan Linowes wrote:
>
>>> If you currently use PHP (versions prior to 4.3.10), you may be
>>> susceptible
>>
I notified Pair Networks of this vulnerability, and at first they passed
the buck saying that it didn't affect them as it was only applications
that didn't properly check user input. This made me a bit ticked off.
They later realized that what I was pointing out was a more systemic
issue and that cracks are being published to exploit this
vulnerability. They have since upgraded all servers.
As this current vulnerability is at the language level, many highly
respected applications and libraries are vulnerable such as PEAR code
(uh, from the guys who write PHP), to phpBB and more. Basically, any
application that uses sessions is probably also serializing and
unserializing data (that hopefully gets encrypted) and stored in a
cookie. Since the cookie might not be encrypted, it can be cracked and
the user can exploit this vulnerability.
I strongly suggest that people who can upgrade PHP to version 4.3.10 do
so. If not, then upgrade applications that have released patches. If
you can't upgrade PHP, nor your code, then you have a problem waiting to
happen.
More information about the gnhlug-discuss
mailing list