Month of PHP Bugs: 18 holes that need patching
The initiators of the Month of PHP Bugs have already published 34 flaws, three of them only affecting the Zend platform and one the Apache filter module mod_security. Of the 30 flaws found in PHP, 18 of them had not been patched upon publication; some of them are found both in PHP 4 and PHP 5, while others only concern PHP 5.
Among other things, the holes allow arbitrary code to be executed with the rights of the Web server. The exploits published for these holes bind a shell to TCP port 4444. However, specially prepared PHP code is required for most of the holes – this mean that attackers already have to have access to a Web server. This is a serious problem, for instance, if the Web host offers shared web space because then users have access to the data of other users.
In addition, attackers could also gain shell access to the server in this way; normally, they would only be able to upload data via FTP, but modern PHP shells make this process much easier.
The initiators of MOPB say that it may even be possible to exploit some of the holes remotely. Two of the holes, both functions that handle session variables, are especially suspect in this respect. In addition, another vulnerability is especially interesting; it allows the unsafe option register_globals to be enabled again. In this way, web applications written in PHP and operated by other users on a server may be vulnerable. For a complete overview of the flaws including a detailed description and an exploit that can be downloaded, see the home page of the Month of PHP Bugs.
It is not clear when updates will be released for any of the 18 open holes. The initiators of MOPB say that there can be no quick fix for a few of them, as they require very deep patches. They recommend their own solution, Suhosin, which allegedly provides protection from even unknown holes in PHP and its core.
- The Month of PHP Bugs, an overview of all of the flaws found
- The Month of PHP Bugs: intermediate results, report on heise Security