Re: Critical PHP bug - act ASAP if you are running web with sensitive data

[nocfed <nocfed () gmail com>]

On 3/29/06, Tõnu Samuel <tonu () jes ee> wrote:
>
---SNIP---
> There is a one vector most people do not seem to know. You can telnet to port
> 80 and say
>
> GET <?php .....
>
> write full script there and include web server log file later. Who knows what
> else blackhats can do. Every single hole must be closed.
---END SNIP---

Right, that is a vector that nobody knows about unless they have
common sense.  There were previous bugs with text editor(s) which used
logfiles to push the payload.  Why someone would ever decide to
include parsable logfiles directly into a script is beyond me, and I'm
sure is even beyond the kid that has been tinkering around the crap
known as php, a god awful scripting language, for but a single day.

Are we next going to be told about the little known security flaw of
directly putting user input into a system() call that uses sudo(8)
with no password verification?

> > I can't speak for other distros, but there's a bug in Gentoo Bugzilla
> > for this: http://bugs.gentoo.org/127939
>
> Thank you! I think this problem must be fixed in every PHP version, not only
> 5.1 series. They knew about it but never told. That's bad.
>
>    Tõnu
>
> -------------------------------------------------------

Never told?  It was in CVS.  Do you wish for all OSS projects to just
include mailing lists on every bug submited?  From now on we'll just
all CC full-disclosure on every bugzilla report and CVS submission
that we come across or submit.

By the way, why start a new thread with the same subject?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/