Advertisement:

Author Topic: PHP security warning  (Read 3353377 times)

Offline Norv

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,313
  • Blue Wolf
PHP security warning
« on: May 05, 2012, 04:20:16 PM »
All,

These days a serious security vulnerability has been discovered in PHP, all versions since 8 years ago. The vulnerability has nothing to do with SMF and cannot be addressed by us, because the forum code doesn't even get to be executed. It can only be patched or mitigated at server level. However, we are bringing it to your attention because it's critical (remote code execution), for you to make sure to test if your site is affected (hopefully not), and if necessary, notify your host and try to mitigate it.

The issue is reported on a very particular configuration, PHP ran as CGI script (not FCGI), on Apache, rather unusual these days. If your host is running it, however, then it is possible that arbitrary code can be executed, compromising your sites. This does NOT apply to the most common PHP setups these days (PHP ran by mod_php, or fast-cgi are NOT affected), so it is possible you may not be affected. We would advise however, to test if your site is vulnerable, and take measures in that case.

How to test if your sites are vulnerable: (please see this link)
Add ?-s at the end of any URL of a PHP script, like: yoursite/index.php?-s
If you see PHP code, your PHP is vulnerable.
If you see your page normally, your site is not affected.

How to mitigate the issue:
If your site is affected, and you may have mod_rewrite available and enabled in Apache, then please add to .htaccess the rewrite rule:
Code: [Select]
RewriteEngine on

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Also, if you can verify the issue is happening for your site, please do notify your host immediately, including a link to the issue.
They can make sure to either (or all): change their configuration, apply the .htaccess patch to all sites, and, when the PHP issue will be fixed, to upgrade their PHP installation.


Please find here the current (already outdated) official report from PHP:
http://www.php.net/archive/2012.php#id2012-05-03-1
Note in addition, that the new versions released at the time of this post are still vulnerable, the release of PHP 5.3.12 and 5.4.2 has been rushed by the accidental disclosure of the bug report they were working on, and the patch is still faulty. The code committed to Github for PHP 5.3.12 is clearly buggy, and I'd expect PHP to release another patch anytime now. When they do, it is highly recommended that servers running this kind of configuration upgrade their PHP or change this configuration altogether.
To-do lists are for deferral. The more things you write down the later they're done… until you have 100s of lists of things you don't do.
File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

Offline Looking

  • SMF Hero
  • ******
  • Posts: 1,896
  • SMF Customization
    • SMF Custom Themes
Re: PHP security warning
« Reply #1 on: May 05, 2012, 04:22:32 PM »
Thanks for informing us.

Offline Kryzen

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 3,683
  • Gender: Male
Re: PHP security warning
« Reply #2 on: May 05, 2012, 04:28:38 PM »
Thank you for the notice :)

Offline tumbleweed

  • SMF Hero
  • ******
  • Posts: 3,054
  • Gender: Male
  • Performance Based Hosting
    • G.C. Solutions
Re: PHP security warning
« Reply #3 on: May 05, 2012, 04:44:02 PM »
If you are running a cPanel server this issue was fixed more then two years ago:
http://forums.cpanel.net/f185/php-5-3-12-security-vulnerability-patch-275011.html
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Build Your Own Virtual Data Center. Low Entry Cost - Free 14 DayTrail.
Reviews By SMF Forum Owners - Read Our Reviews Here At SMF

Offline NanoSector

  • On Hiatus
  • SMF Super Hero
  • *
  • Posts: 10,155
  • Gender: Male
    • rick2288 on Facebook
    • Yoshi2889 on GitHub
    • Test Server
Re: PHP security warning
« Reply #4 on: May 05, 2012, 05:49:58 PM »
Seems like Facebook may have some issues sooner or later..
Thanks for informing.
My Mods / Mod Builder - A tool to easily create mods / Support team member / Website - Help us test SMF 2.1!
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Offline Burridge

  • Jr. Member
  • **
  • Posts: 125
  • Gender: Male
    • @burridgedan1993 on Twitter
    • My Youtube Channel
Re: PHP security warning
« Reply #5 on: May 05, 2012, 05:51:13 PM »
Thanks for the warning!

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 64,172
Re: PHP security warning
« Reply #6 on: May 05, 2012, 06:16:46 PM »
Seems like Facebook may have some issues sooner or later..
Thanks for informing.

Or not seeing how they actually don't run standard PHP but compiled PHP and in fact going to a certain URL to attempt to exploit this will suggest you visit their hiring pages.
And his eyes have all the seeming of a demon's that is dreaming,
And the lamp-light o'er him streaming throws his shadow on the floor


Before you send me a PM for support...

Offline NanoSector

  • On Hiatus
  • SMF Super Hero
  • *
  • Posts: 10,155
  • Gender: Male
    • rick2288 on Facebook
    • Yoshi2889 on GitHub
    • Test Server
Re: PHP security warning
« Reply #7 on: May 05, 2012, 06:24:10 PM »
Seems like Facebook may have some issues sooner or later..
Thanks for informing.

Or not seeing how they actually don't run standard PHP but compiled PHP and in fact going to a certain URL to attempt to exploit this will suggest you visit their hiring pages.
Still, who knows what this exploit may do. I'm not an expert in PHP security, so what do I know..
My Mods / Mod Builder - A tool to easily create mods / Support team member / Website - Help us test SMF 2.1!
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Offline SleePy

  • Site Team
  • SMF Master
  • *
  • Posts: 28,963
  • Gender: Male
  • Thats his happy face.
    • @jdarwood on Twitter
    • SleePy Code - My personal site
Re: PHP security warning
« Reply #8 on: May 05, 2012, 06:36:22 PM »
Only those using CGI (not even fastcgi) are affected and it seems to mainly be pointed out on Apaches systems.  If its patched in cPanel, also that helps.  So the scope of the attack is small.  But that won't stop new bot scripts from trying something new now.

But its important for people to know incase they are vulnerable to this.
Jeremy D — Site Team / SMF Developer
Support the SMF Support team!
Profiles:
GitHub
G+

Offline Norv

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,313
  • Blue Wolf
Re: PHP security warning
« Reply #9 on: May 05, 2012, 06:49:44 PM »
Yoshi, I think Facebook were joking. (this time). Obviously these days sites have started to get hits for that query string.

Actually, we could do something too, Sleepy. ;)
« Last Edit: May 05, 2012, 07:01:21 PM by N. N. »
To-do lists are for deferral. The more things you write down the later they're done… until you have 100s of lists of things you don't do.
File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

Offline NanoSector

  • On Hiatus
  • SMF Super Hero
  • *
  • Posts: 10,155
  • Gender: Male
    • rick2288 on Facebook
    • Yoshi2889 on GitHub
    • Test Server
Re: PHP security warning
« Reply #10 on: May 05, 2012, 07:10:14 PM »
Yoshi, I think Facebook were joking. (this time).
Yay, great joke at a great time.[/sarcasm]
My Mods / Mod Builder - A tool to easily create mods / Support team member / Website - Help us test SMF 2.1!
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Offline SleePy

  • Site Team
  • SMF Master
  • *
  • Posts: 28,963
  • Gender: Male
  • Thats his happy face.
    • @jdarwood on Twitter
    • SleePy Code - My personal site
Re: PHP security warning
« Reply #11 on: May 05, 2012, 07:21:25 PM »
Norv, you mean:
Code: (Nginx) [Select]
if ($args ~ ^\+?(%2d|-)[^=]+$)
{
     return 402;
}
Jeremy D — Site Team / SMF Developer
Support the SMF Support team!
Profiles:
GitHub
G+

Offline TheMortician4

  • Jr. Member
  • **
  • Posts: 241
  • Gender: Male
  • Still Learning and Loving the Experience
    • BBI Clan Official Website
Re: PHP security warning
« Reply #12 on: May 05, 2012, 07:31:24 PM »
For my site: http://www.bbiclan.com/forum/index.php?%20-s, I see everything until the bottom of the shout-box which is just below the ribbon. Am I vulnerable?

Offline NanoSector

  • On Hiatus
  • SMF Super Hero
  • *
  • Posts: 10,155
  • Gender: Male
    • rick2288 on Facebook
    • Yoshi2889 on GitHub
    • Test Server
Re: PHP security warning
« Reply #13 on: May 05, 2012, 07:33:03 PM »
For my site: http://www.bbiclan.com/forum/index.php?%20-s, I see everything until the bottom of the shout-box which is just below the ribbon. Am I vulnerable?
No, you aren't vurnerable.
http://www.bbiclan.com/forum/index.php?-s

doesn't return the source code.
My Mods / Mod Builder - A tool to easily create mods / Support team member / Website - Help us test SMF 2.1!
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Offline TheMortician4

  • Jr. Member
  • **
  • Posts: 241
  • Gender: Male
  • Still Learning and Loving the Experience
    • BBI Clan Official Website
Re: PHP security warning
« Reply #14 on: May 05, 2012, 07:35:16 PM »
For my site: http://www.bbiclan.com/forum/index.php?%20-s, I see everything until the bottom of the shout-box which is just below the ribbon. Am I vulnerable?
No, you aren't vurnerable.
http://www.bbiclan.com/forum/index.php?-s

doesn't return the source code.

Awesome thank you for responding so quickly...!!!!

Offline samozin

  • Jr. Member
  • **
  • Posts: 389
    • www.caffeh.com
Re: PHP security warning
« Reply #15 on: May 05, 2012, 08:41:47 PM »
Awesome thank you

Offline gisfreak

  • Jr. Member
  • **
  • Posts: 319
  • Gender: Male
  • NO TRESPASSING
    • GIS Community
Re: PHP security warning
« Reply #16 on: May 07, 2012, 02:47:25 AM »
just saw similar threads on another forum, and just test my server, its SAVE, nice

Me fail English? That’s unpossible.

Offline choloman05

  • Full Member
  • ***
  • Posts: 620
  • Gender: Male
    • Competition Web Marketing
Re: PHP security warning
« Reply #17 on: May 07, 2012, 08:18:45 PM »
Thanks!

Offline john256

  • Newbie
  • *
  • Posts: 7
Re: PHP security warning
« Reply #18 on: May 08, 2012, 07:08:50 AM »
Thanks for notifying :)

Offline Sverre

  • Sr. Member
  • ****
  • Posts: 748
Re: PHP security warning
« Reply #19 on: May 08, 2012, 07:59:40 AM »
Thanks for the heads-up! Luckily, both hosts I use seem to be safe from this vulnerability.