[Imc-web] {Disarmed} Fwd: [Security announcements] SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating

David Gehrig dgehrig at ncsa.uiuc.edu
Wed Oct 17 15:57:14 CDT 2007 

Folks -- could this affect our site?

@%<

Begin forwarded message:

> From: noreply at drupal.org
> Date: October 17, 2007 3:12:10 PM CDT
> To: dgehrig at ncsa.uiuc.edu
> Subject: [Security announcements] SA-2007-023 - Public service  
> announcement: PHP exploit using Drupal circulating
> Reply-To: noreply at drupal.org
>
>
> ------------SA-2007-023 - PUBLIC SERVICE ANNOUNCEMENT: PHP EXPLOIT  
> USING DRUPAL
> CIRCULATING  ------------
>
>  * Advisory ID: SA-2007-023
>
>  * Project: PHP
>
>  * Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
>
>  * Date: 2007-October-17
>
>  * Security risk: Critical
>
>  * Exploitable from: Remote
>
>  * Vulnerability: unset() hash / index collision exploit using Drupal
>
> ------------DESCRIPTION------------
>
> The PHP unset() Hash / Index collision vulnerability [
> http://www.hardened-php.net/hphp/ 
> zend_hash_del_key_or_index_vulnerability.html ]
> causes the unset() [ http://www.php.net/unset ] statement to fail  
> in certain
> circumstances.
>
> Drupal uses the unset statement to eliminate all non-whitelisted  
> global
> variables when the option "register_globals [
> http://www.php.net/register_globals ]" is enabled for your PHP  
> installation. As
> unset() can be caused to fail on vulnerable versions of PHP,  
> arbitrary global
> variables can be created. This can easily lead to the execution of  
> arbitrary PHP
> code with a specially crafted URL, similar to the one shown below,  
> that causes
> the menu system to call the PHP evaluator with arbitrary code:
>
> http://example.com?_menu[callbacks][1][callback]=drupal_eval&_menu 
> [items][][type]=-1&-813992032=1&q=1/%3C?phpinfo();
>
> An exploit for this is widely circulating. The attack will not work  
> when
> "register_globals" is set to off.
>
> The issue is not limited to installations with "register_globals"  
> set to on.
> unset() is used in other parts of the codebase where a bypass /may/  
> result in
> unintended actions that /may/ compromise your security.
>
> ------------VERSIONS AFFECTED------------
>
>  * PHP 4 before version 4.4.3.
>
>  * PHP 5 before version 5.1.4.
>
> ------------SOLUTION------------
>
> Upgrade to the latest version of PHP:
>
>  * When using PHP 4 upgrade to PHP 4.4.7.
>
>  * When using PHP 5 upgrade to PHP 5.2.4.
>
> Always apply the latest security patches to your server components.
> You may need to review your server management strategy if you are  
> still running
> a vulnerable PHP version.
>
> ------------CONTACT------------
>
> The security contact for Drupal can be reached at security at  
> drupal.org or via
> the form at [ http://drupal.org/contact ].
>
>
>
> -- 
> Unsubscribe from this newsletter: http://drupal.org/newsletter/ 
> confirm/remove/64ef35182b6289t44

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.chambana.net/mailman/archive/imc-web/attachments/20071017/1b677bed/attachment.html

More information about the IMC-Web mailing list