[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux] PHP : Scripting flaw ripe for Web worm



http://story.news.yahoo.com/news?tmpl=story&u=/cn/20020304/tc_cn/scripting_flaw_ripe_for_web_worm&cid=70

Last Wednesday, a member of the PHP Group posted details of a handful of 
flaws that could be exploited to take over Web servers that use version 
3.0.10 to version 4.1.1 of the PHP software. By gaining control of the Web 
server software, attackers could deface any sites hosted by that server or 
take advantage of their position to issue system commands to the server. 
Because different versions of the software are susceptible to a different 
subset of the flaws, a worm would have to be programmed to detect the 
configuration of each host and attack with the right piece of code.

"They would have to write four or five exploits," Lerdorf said. "They would 
need to know a lot more. All you had to do with the (Code Red flaw) is put 
colon-colon after a URL, and poof, you screw up the Web server." In addition, 
Web servers typically run with limited privileges, not in "super user" mode, 
which allows nearly unlimited privileges to those with access. On properly 
secured servers, that difference could make it much more difficult to control 
the infected computer.

That may play in the favor of PHP-enabled Web site administrators, said 
Stefan Esser, another member of the PHP Group and the author of the advisory 
on the scripting flaws.

"PHP is an open-source project, and users of open-source products are 
often--in my experience--more aware of security issues than users of 
Microsoft products," Esser said. "I am pretty sure open-source users will 
upgrade faster than Microsoft users. The most important sites all have 
upgraded by now."

Still, to stop potential worms from affecting the Internet, more than just 
the major Web sites need to upgrade. 
-- 
	Bon amusement,

	Alain
+--------------------------------------------------------------------------------------
|  Dr Alain EMPAIN      Bioinformatique, Génétique Moléculaire B43,
|  Fac. Méd. Vétérinaire, Univ. de Liège, Sart-Tilman / B-4000 Liège  
|       Alain.EMPAIN@ulg.ac.be
|       WORK:+32 4 366 3821 Fax: +32 4 366 4122   GSM:+32 497 701764
|       HOME:+32 85 512341  -- Rue des Martyrs,7  B-4550 Nandrin
_______________________________________________
Linux Mailing List
Archives: http://unixtech.be/mailman/listinfo/linux