[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux] PHP : Scripting flaw ripe for Web worm
http://story.news.yahoo.com/news?tmpl=story&u=/cn/20020304/tc_cn/scripting_flaw_ripe_for_web_worm&cid=70
Last Wednesday, a member of the PHP Group posted details of a handful of
flaws that could be exploited to take over Web servers that use version
3.0.10 to version 4.1.1 of the PHP software. By gaining control of the Web
server software, attackers could deface any sites hosted by that server or
take advantage of their position to issue system commands to the server.
Because different versions of the software are susceptible to a different
subset of the flaws, a worm would have to be programmed to detect the
configuration of each host and attack with the right piece of code.
"They would have to write four or five exploits," Lerdorf said. "They would
need to know a lot more. All you had to do with the (Code Red flaw) is put
colon-colon after a URL, and poof, you screw up the Web server." In addition,
Web servers typically run with limited privileges, not in "super user" mode,
which allows nearly unlimited privileges to those with access. On properly
secured servers, that difference could make it much more difficult to control
the infected computer.
That may play in the favor of PHP-enabled Web site administrators, said
Stefan Esser, another member of the PHP Group and the author of the advisory
on the scripting flaws.
"PHP is an open-source project, and users of open-source products are
often--in my experience--more aware of security issues than users of
Microsoft products," Esser said. "I am pretty sure open-source users will
upgrade faster than Microsoft users. The most important sites all have
upgraded by now."
Still, to stop potential worms from affecting the Internet, more than just
the major Web sites need to upgrade.
--
Bon amusement,
Alain
+--------------------------------------------------------------------------------------
| Dr Alain EMPAIN Bioinformatique, Génétique Moléculaire B43,
| Fac. Méd. Vétérinaire, Univ. de Liège, Sart-Tilman / B-4000 Liège
| Alain.EMPAIN@ulg.ac.be
| WORK:+32 4 366 3821 Fax: +32 4 366 4122 GSM:+32 497 701764
| HOME:+32 85 512341 -- Rue des Martyrs,7 B-4550 Nandrin
_______________________________________________
Linux Mailing List
Archives: http://unixtech.be/mailman/listinfo/linux