[Imc-web] {Disarmed} Fwd: [Security announcements] SA-2007-023
- Public service announcement: PHP exploit using Drupal circulating
Mike Lehman
rebelmike at earthlink.net
Thu Nov 1 09:46:44 CDT 2007
David,
Just digging through my inbox and found this. I don't know about it
affecting our servers.
However, I suspect that it may be the source of most of the commercial
spam we receive from such hacked servers, based on following the links
back to the server they reference. They all seem to be PHP builds of one
sort or another.
Mike Lehman
David Gehrig wrote:
> Folks -- could this affect our site?
>
> @%<
>
> Begin forwarded message:
>
>> *From: *noreply at drupal.org <mailto:noreply at drupal.org>
>> *Date: *October 17, 2007 3:12:10 PM CDT
>> *To: *dgehrig at ncsa.uiuc.edu <mailto:dgehrig at ncsa.uiuc.edu>
>> *Subject: **[Security announcements] SA-2007-023 - Public service
>> announcement: PHP exploit using Drupal circulating*
>> *Reply-To: *noreply at drupal.org <mailto:noreply at drupal.org>
>>
>>
>> ------------SA-2007-023 - PUBLIC SERVICE ANNOUNCEMENT: PHP EXPLOIT
>> USING DRUPAL
>> CIRCULATING ------------
>>
>> * Advisory ID: SA-2007-023
>>
>> * Project: PHP
>>
>> * Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
>>
>> * Date: 2007-October-17
>>
>> * Security risk: Critical
>>
>> * Exploitable from: Remote
>>
>> * Vulnerability: unset() hash / index collision exploit using Drupal
>>
>> ------------DESCRIPTION------------
>>
>> The PHP unset() Hash / Index collision vulnerability [
>> http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
>> ]
>> causes the unset() [ http://www.php.net/unset ] statement to fail in
>> certain
>> circumstances.
>>
>> Drupal uses the unset statement to eliminate all non-whitelisted global
>> variables when the option "register_globals [
>> http://www.php.net/register_globals ]" is enabled for your PHP
>> installation. As
>> unset() can be caused to fail on vulnerable versions of PHP,
>> arbitrary global
>> variables can be created. This can easily lead to the execution of
>> arbitrary PHP
>> code with a specially crafted URL, similar to the one shown below,
>> that causes
>> the menu system to call the PHP evaluator with arbitrary code:
>>
>> *MailScanner has detected a possible fraud attempt from "example.com"
>> claiming to be*
>> http://example.com?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-813992032=1&q=1/%3C?phpinfo(
>> <http://example.com?_menu%5Bcallbacks%5D%5B1%5D%5Bcallback%5D=drupal_eval&_menu%5Bitems%5D%5B%5D%5Btype%5D=-1&-813992032=1&q=1/%3C?phpinfo%28>);
>>
>> An exploit for this is widely circulating. The attack will not work when
>> "register_globals" is set to off.
>>
>> The issue is not limited to installations with "register_globals" set
>> to on.
>> unset() is used in other parts of the codebase where a bypass /may/
>> result in
>> unintended actions that /may/ compromise your security.
>>
>> ------------VERSIONS AFFECTED------------
>>
>> * PHP 4 before version 4.4.3.
>>
>> * PHP 5 before version 5.1.4.
>>
>> ------------SOLUTION------------
>>
>> Upgrade to the latest version of PHP:
>>
>> * When using PHP 4 upgrade to PHP 4.4.7.
>>
>> * When using PHP 5 upgrade to PHP 5.2.4.
>>
>> Always apply the latest security patches to your server components.
>> You may need to review your server management strategy if you are
>> still running
>> a vulnerable PHP version.
>>
>> ------------CONTACT------------
>>
>> The security contact for Drupal can be reached at security at
>> drupal.org or via
>> the form at [ http://drupal.org/contact ].
>>
>>
>>
>> --
>> Unsubscribe from this newsletter:
>> http://drupal.org/newsletter/confirm/remove/64ef35182b6289t44
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> IMC-Web mailing list
> IMC-Web at lists.ucimc.org
> http://lists.chambana.net/cgi-bin/listinfo/imc-web
>
More information about the IMC-Web
mailing list