PHP Group to try again to fix vulnerability

May 8, 2012 by Bob Yirka, report

( -- The PHP group, under fire for prematurely pushing out a patch to fix a recently uncovered vulnerability in the language, says it is working on another patch to fix the problem as web site owners scramble to ensure the integrity of their sites. Fortunately, as dire as that sounds, few sites appear to be at risk because the vulnerability only exists for those running in Common Gateway Interface (CGI) mode.

PHP is a scripting language (it used to stand for “Personal Home Page” but now means PHP: Hypertext Processor) used by servers to provide web services and can be embedded into HTML documents rather than forcing programmers to call external routines. Doing so makes creating and maintaining pages much simpler, though as this latest shows, it can also be less secure.

In this case, the problem is not so much that a vulnerability was found, but that it was accidently made public by some unknown person at Eindbazen (the group that found the vulnerability) publishing it to Reddit (a social news website). That caused nefarious types to work up code that could easily test a web site for the vulnerability and then exploit it when found.

The vulnerability is that for websites running in CGI mode, it was found that a URL passed with a “-“ character could be used as a command string causing the site to carry out instructions via switches, e.g. -c, -s, -d. By doing so, hackers could gain a copy of index.php for example. Worse of course, they could also gain admittance to user data or be used to carry out instructions such as to a cause denial of service. To be clear, the problem is not that command strings can be passed to a , but that switches can be passed that cause commands to run on the server. Most servers allow characters to be passed as data strings for interpretation by PHP parsing.

Upon hearing of the vulnerability being made public, the PHP Group rushed to push out a patch. Unfortunately, the patch has proven to be ineffective, which has left some sites more vulnerable than before as owners ceased working on protection measures believing their server was safe.

Moving forward, the PHP Group has advised site owners to update their PHP version and then to test their site themselves to see if they are at risk. If so, they suggest those site owners contact Eindbazen for some possible remedies that can be used until a permanent fix is ready for distribution.

Explore further: IBM Plugs Two Holes in Lotus Domino Security

More information:

Related Stories

Microsoft Investigates IE 7 Vulnerability

March 16, 2007

The vulnerability leaves users open to potential phishing attacks. Microsoft is investigating a new flaw uncovered in Internet Explorer 7 that opens users up to phishing attacks.

Apple says it's fixed iPhone SMS vulnerability

July 31, 2009

(AP) -- Apple Inc. says it has fixed an iPhone vulnerability that lets hackers knock people offline - and possibly take over the phones - by sending them specially crafted text messages.

Recommended for you

AI and 5G in focus at top mobile fair

February 24, 2018

Phone makers will seek to entice new buyers with better cameras and bigger screens at the world's biggest mobile fair starting Monday in Spain after a year of flat smartphone sales.

Google Assistant adds more languages in global push

February 23, 2018

Google said Friday its digital assistant software would be available in more than 30 languages by the end of the years as it steps up its artificial intelligence efforts against Amazon and others.


Adjust slider to filter visible comments by rank

Display comments: newest first

2.3 / 5 (3) May 08, 2012
2012 and programmers can't properly parse strings, clear buffers, avoid pointer overflows, etc. etc. etc.

Same mistakes over and over and over again.

What is wrong with these people? Are they mentally defective?

1.5 / 5 (6) May 08, 2012
Have you ever programmed, Vendicar?
It's not easy. Especially when working with a ton of other people. And it's impossible to test every input a user can come up with... You should at least consider these things prior to claiming mental defects..
2.3 / 5 (3) May 08, 2012
"Have you ever programmed, Vendicar?" - Royale

For decades. Yes.
not rated yet May 09, 2012
Hello world, doesn't count.
If you write alot of code, you will eventually slip up. You are human, Vendicar.
DB hacking is the most successful these days for a reason. Facebook, google, nsa, FBI all of these have experienced breaches the past few years, and you can do better? Enlighten me, Captain obvious.
not rated yet May 09, 2012
It should be noted that the recursive acronym "PHP" means "PHP: Hypertext Preprocessor", not "processor" as the article states.

Vendicar, you can't build a bullet-proof system. The bigger it gets, the more likely that there will be a vulnerability left behind. This is even more likely when you have many contributors to your project. However, you can patch things properly. You can do your best and you can run in a sand-box, run with least privileges and keep it simple. All of these approaches lead to secure software.

Even the mighty developers at Google admit that they *might* have security flaws in their software. Chrome's sandboxing is evidence enough.
3 / 5 (2) May 09, 2012
Sometimes it does.

"Hello world, doesn't count." - Migbasher

I once took an 11 line assembly language program that some pround miscreant wrote - a trivial piece of code - and reduced it to 7 opcodes. This is not something to be proud of, but someting to illustrate the poor level of programming that people take pride in.

On the other hand, I also once reverse engineered a commercial SCSI driver for a particular PC SCSI card and reduced it's size by a factor of 10, while retaining full functionality and backward compatibility with the commercial driver.

In the process I corrected a couple of bugs.

That was one of the worst examples of programming I had ever seen until I encountered the code for GIF decompression in the FireFox web browser.

The code in the GIF decompressor was a single case statement something like 15 pages long. I reduced the code size by something around 80 percent and increased it's speed by close to 400 percent, and improved the way it managed corner cases.

3 / 5 (2) May 09, 2012

"Vendicar, you can't build a bullet-proof system." - Xharlie

Once every step is secure, the application is secure.

Did you know that the Standard C IO library is so poorly written that it can not be used for production software? It is full of buffer overflow conditions and the programming community refuses to fix them.

They have been part of the language since the very beginning of the language.
1 / 5 (11) May 09, 2012
Even the code behind the Physorg comments has vulnerabilities. Its been known for while that if one wanted to make a post as another user, its doable. However, (covering own arse), I will not demonstrate it (and never have used it). What i can say is that often untrapped errors lead to the information that is required to enable unwanted access. So, I would agree with Vendi, its simply lazy programming.

1 / 5 (1) May 09, 2012
2012 and programmers can't properly parse strings, clear buffers, avoid pointer overflows, etc. etc. etc.

Same mistakes over and over and over again.

What is wrong with these people? Are they mentally defective?

It's not the same people making the same mistakes over and over. Just as we all fall down as kids even though our parents tell us to stop running/jumping over things people make mistakes, learn from them and move on. No one is born with decades of programming experience built in so if that's important to you then limit yourself to running only software you made. No one has to put up with intolerance like yours.
5 / 5 (2) May 13, 2012

"It's not the same people making the same mistakes over and over" - Aloken

It seems that every new crop of programmers makes the same mistakes over and over and over and over again. It is never ending, and as a result it is the failure of the programming environment to prevent such errors.

Back in the DOS era the failure of IBM to define an open,use,close paradigm for the printer, serial port, rtc, etc, made it impossible to properly implement resource sharing.

15 years later Microsoft made the same "mistake" with their audio API under windows.

"No one is born with decades of programming experience" - Aloken

I must have been since I always clear my buffers before use, always follow an open,use,close paradigm, and never fill a buffer without checking for overflows.

It is just common sense.
1 / 5 (9) May 13, 2012
OpenAL and fmod works under windows.
1 / 5 (9) May 13, 2012
Another reason to use the .Net framework - a proper web programming framework, that is compiled properly and runs on a proper server technology.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.