News Archive - security

Here are the most important news items we have tagged with "security" on PHP.net.


PHP 5.3.12, 5.4.2 y el fallo en CGI (CVE-2012-1823)

PHP 5.3.12/5.4.2 no soluciona todas las variaciones de los problemas de CGI descritos en CVE-2012-1823. Adicionalmente nos llama la atención que algunos sitios están usando un script CGI inseguro para correr PHP. Estos scripts usan $* en vez de "$@" para pasarle parámetros a php-cgi causando un variado número de fallos. Repetimos, la gente usando mod_php or php-fpm no están afectados.

Una forma de tratar estos problemas de CGI es rechazar la petición si el query string contiene un '-' y no un '='. Esto se puede hacer usando mod_rewrite de Apache de esta forma:

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Tengase en cuenta que esto bloqueará de igual forma peticiones seguras como ?top-40 so así que si tienes peticiones como esa, se debe ajustar las expresiones regulares de acuerdo a ello.

Otro gurpo de versiones está planeado para el 8 de Mayo. Estas solucionan un problema del CGI y otro relacionado con apache_request_header (solo 5.4).

Pedimos discuplas por el inconveniente creado con estos lanzamientos y la falta de comunicación sobre ello.


PHP Security Update - Windows Version

Following up from the previous annoucement, PHP 4.1.2 has been released for windows. The delayed release is due to the fix of a further security issue only relating to the PHP for Windows version. More information on this change can be found here. All PHP - Windows users are encouraged to upgrade to the latest version.



A Note on Security in PHP

The PHP Development Team has issued an important statement that deals with the security of PHP, and of PHP-based applications. The trigger for releasing this statement was the growing misconception in the PHP community regarding recent security problems, which exploited bugs in PHP applications, rather than bugs in PHP itself. It's a recommended read for anybody using PHP.


PHP West Security Conference in Vancouver, BC

PHP West Conferences

Open Source Events is hosting their second conference on June 11th, 2005 in Vancouver, British Columbia. The conference will focus on PHP and Open Source Security. Featured talks will be presented by Bruce Perens, Chris Shiflett, Christian Wenz, Tom Robinson and Chris Hubbard.

The conference is a single day – one track event where attendees will receive a free t-shirt, lunch, and full access to the full day of talks with the purchase of their ticket. A number of free prizes will be given away at the closing ceremonies.


PHP Security Consortium

PHPSC Logo

An international group of PHP experts today announced the official launch of the PHP Security Consortium (PHPSC), a group whose mission is to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.

Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards. In addition to their educational efforts, the PHPSC engages in exploratory and experimental research in order to develop and promote standards of best practice for PHP application development.


php.net security notice

The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.

We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.


PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? - [F,L]
    
Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.



Cache file /data/nikos/phalconphp.com/php-site/public/../app/cache/phpsecurity could not be written