PHP 5.3.10 with critical security fix

Support/Development for PHP
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

PHP 5.3.10 with critical security fix

Unread post by breun »

Security Fixes in PHP 5.3.10:

* Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

http://www.php.net/archive/2012.php#id2012-02-02-1
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: PHP 5.3.10 with critical security fix

Unread post by mikeshinn »

ASL protects against this vulnerability. The vulnerability in PHP 5.3.9 is actually in the PHP code that was added to prevent the hash collision attacks (which ASL also protects from). You can ironicly only succeed with the new attack if you send a payload with more than 1000 variables (or whatever you set your max to with PHP). 5.39 added a new limit to prevent the has DOS attack, the default is that if you exceed the limit of 1000 variables (in PHP) that PHP requests is denied. The bug is that the new PHP code has a flaw, which basically lets the 1000+ variables fill up buffers and do nasty things, instead of block them.

ASL independently won't allow above 1000 variables, so the exploit payload is rejected and will never reach the webserver. Additionally, the kernel protects against various types of code injection attacks, which adds another layer.

So, if you are using ASL, you are protected from this exploit so this is not critical for you. If you are using our real time rules or ASL without the ASL kernel, you are protected from remote exploits of this, but thats your only layer (you do not have kernel protection).

If you are not running either, and you are running 5.3.9 then you do have a vulnerability. Even if you arent using 5.3.9 you may need to upgrade if your vendor backported the new code to an older version of PHP.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: PHP 5.3.10 with critical security fix

Unread post by breun »

RHEL/CentOS has already released PHP updates with fixes for this issue. I see 5.3.10 is also already in the atomic channel. People, start your upgrading engines!
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: PHP 5.3.10 with critical security fix

Unread post by mikeshinn »

People, start your upgrading engines!
Unless you are running ASL, in which case, no rush. :-)
Post Reply