Scripting flaw leaves sites vulnerable
Published: 28 Feb 2002 10:48 GMT
A flaw in the common open-source scripting language PHP could allow attackers to crash or compromise a hefty fraction of the nine million servers running the open-source Web software Apache, as well as other Web servers.
A member of the PHP engineering team warned Web developers of the software flaws in an advisory on Wednesday, but security experts believe that while some in the Internet underground have tools to exploit the flaw, few people have the resources.
"It is not really easy to execute," said Johannes Ullrich, chief technology officer for the SANS (System Administration, Networking, and Security) Internet Storm Center, who obtained a program file that illustrates the vulnerability.
A handful of holes appear in different versions of PHP, a scripting language that can be installed on many different Web servers -- including Apache, Microsoft's Internet Information Server (IIS) and iPlanet -- allowing them to create Web pages on the fly from a database of information.
PHP software originally stood for Personal Homepage, before the script evolved into a much more complex language. It's best known for letting developers create more-easily modified Web sites based entirely on a collection of open-source software known as LAMP, which includes the Linux operating system, the Apache Web server, the MySQL database, and PHP or Python scripting languages. Survey firm Netcraft estimates that nearly nine million Web servers, about 64 percent, use Apache, and because of PHP's popularity, a large fraction of those sites are likely to have the software installed.
While PHP can be installed on other Web site software, the flaws only affect those Web servers running on top of the Linux or Solaris operating systems, according to an advisory released by German security and Internet software company e-Matters.
In the past, Microsoft's Internet Information Server has had a slew of problems with flaws in its components that allowed hackers and worms to break in. This time, the software appears not to be vulnerable, even if it's using PHP.
The flaws, a collection of heap overflows and problematic boundary checks, could crash vulnerable servers or allow attackers full access to them, said the advisory. Different flaws affect various versions of PHP, from 3.10 to 4.1.1.
Ullrich and the PHP Web site recommend that Linux and Solaris Web sites using PHP upgrade their software to the latest version, 4.1.2, which solves the problem.
The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University also warned of the flaw on Wednesday.
Ullrich said the problems posed by the vulnerabilities are heightened because security experts are uncertain how widely knowledge of the flaws has spread.
"There are these two camps. The disclosure people shout and say they have a new exploit," Ullrich said, referring to "exploit code", or programs capable of taking advantage of the software flaws, "and the non-disclosure people hold on to it and use it to attack certain sites, and trade them in IRC chat rooms."
Ullrich believes the latter group may have had exploit code for as long as a month.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
50 out of 91 people found this useful
- Share this article:
