Security Fixes in PHP 5.3.10:
* Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.
http://www.php.net/archive/2012.php#id2012-02-02-1
PHP 5.3.10 with critical security fix
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
PHP 5.3.10 with critical security fix
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: PHP 5.3.10 with critical security fix
ASL protects against this vulnerability. The vulnerability in PHP 5.3.9 is actually in the PHP code that was added to prevent the hash collision attacks (which ASL also protects from). You can ironicly only succeed with the new attack if you send a payload with more than 1000 variables (or whatever you set your max to with PHP). 5.39 added a new limit to prevent the has DOS attack, the default is that if you exceed the limit of 1000 variables (in PHP) that PHP requests is denied. The bug is that the new PHP code has a flaw, which basically lets the 1000+ variables fill up buffers and do nasty things, instead of block them.
ASL independently won't allow above 1000 variables, so the exploit payload is rejected and will never reach the webserver. Additionally, the kernel protects against various types of code injection attacks, which adds another layer.
So, if you are using ASL, you are protected from this exploit so this is not critical for you. If you are using our real time rules or ASL without the ASL kernel, you are protected from remote exploits of this, but thats your only layer (you do not have kernel protection).
If you are not running either, and you are running 5.3.9 then you do have a vulnerability. Even if you arent using 5.3.9 you may need to upgrade if your vendor backported the new code to an older version of PHP.
ASL independently won't allow above 1000 variables, so the exploit payload is rejected and will never reach the webserver. Additionally, the kernel protects against various types of code injection attacks, which adds another layer.
So, if you are using ASL, you are protected from this exploit so this is not critical for you. If you are using our real time rules or ASL without the ASL kernel, you are protected from remote exploits of this, but thats your only layer (you do not have kernel protection).
If you are not running either, and you are running 5.3.9 then you do have a vulnerability. Even if you arent using 5.3.9 you may need to upgrade if your vendor backported the new code to an older version of PHP.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: PHP 5.3.10 with critical security fix
RHEL/CentOS has already released PHP updates with fixes for this issue. I see 5.3.10 is also already in the atomic channel. People, start your upgrading engines!
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: PHP 5.3.10 with critical security fix
Unless you are running ASL, in which case, no rush.People, start your upgrading engines!
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone