[Imc-web] {Disarmed} Fwd: [Security announcements] SA-2007-023 -
Public service announcement: PHP exploit using Drupal circulating
David Gehrig
dgehrig at ncsa.uiuc.edu
Wed Oct 17 15:57:14 CDT 2007
Folks -- could this affect our site?
@%<
Begin forwarded message:
> From: noreply at drupal.org
> Date: October 17, 2007 3:12:10 PM CDT
> To: dgehrig at ncsa.uiuc.edu
> Subject: [Security announcements] SA-2007-023 - Public service
> announcement: PHP exploit using Drupal circulating
> Reply-To: noreply at drupal.org
>
>
> ------------SA-2007-023 - PUBLIC SERVICE ANNOUNCEMENT: PHP EXPLOIT
> USING DRUPAL
> CIRCULATING ------------
>
> * Advisory ID: SA-2007-023
>
> * Project: PHP
>
> * Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
>
> * Date: 2007-October-17
>
> * Security risk: Critical
>
> * Exploitable from: Remote
>
> * Vulnerability: unset() hash / index collision exploit using Drupal
>
> ------------DESCRIPTION------------
>
> The PHP unset() Hash / Index collision vulnerability [
> http://www.hardened-php.net/hphp/
> zend_hash_del_key_or_index_vulnerability.html ]
> causes the unset() [ http://www.php.net/unset ] statement to fail
> in certain
> circumstances.
>
> Drupal uses the unset statement to eliminate all non-whitelisted
> global
> variables when the option "register_globals [
> http://www.php.net/register_globals ]" is enabled for your PHP
> installation. As
> unset() can be caused to fail on vulnerable versions of PHP,
> arbitrary global
> variables can be created. This can easily lead to the execution of
> arbitrary PHP
> code with a specially crafted URL, similar to the one shown below,
> that causes
> the menu system to call the PHP evaluator with arbitrary code:
>
> http://example.com?_menu[callbacks][1][callback]=drupal_eval&_menu
> [items][][type]=-1&-813992032=1&q=1/%3C?phpinfo();
>
> An exploit for this is widely circulating. The attack will not work
> when
> "register_globals" is set to off.
>
> The issue is not limited to installations with "register_globals"
> set to on.
> unset() is used in other parts of the codebase where a bypass /may/
> result in
> unintended actions that /may/ compromise your security.
>
> ------------VERSIONS AFFECTED------------
>
> * PHP 4 before version 4.4.3.
>
> * PHP 5 before version 5.1.4.
>
> ------------SOLUTION------------
>
> Upgrade to the latest version of PHP:
>
> * When using PHP 4 upgrade to PHP 4.4.7.
>
> * When using PHP 5 upgrade to PHP 5.2.4.
>
> Always apply the latest security patches to your server components.
> You may need to review your server management strategy if you are
> still running
> a vulnerable PHP version.
>
> ------------CONTACT------------
>
> The security contact for Drupal can be reached at security at
> drupal.org or via
> the form at [ http://drupal.org/contact ].
>
>
>
> --
> Unsubscribe from this newsletter: http://drupal.org/newsletter/
> confirm/remove/64ef35182b6289t44
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.chambana.net/mailman/archive/imc-web/attachments/20071017/1b677bed/attachment.html
More information about the IMC-Web
mailing list