February 27, 2002 5:40 PM PST
Scripting flaw leaves sites vulnerable
A member of the PHP engineering team warned Web developers of the software flaws in an advisory on Wednesday, but security experts believe that while some in the Internet underground have tools to exploit the flaw, few people have the resources.
"It is not really easy to execute," said Johannes Ullrich, chief technology officer for the SANS (System Administration, Networking, and Security) Internet Storm Center, who obtained a program file that illustrates the vulnerability.
A handful of holes appear in different versions of PHP, a scripting language that can be installed on many different Web servers--including Apache, Microsoft's Internet Information Server and iPlanet--allowing them to create Web pages on the fly from a database of information.
PHP software originally stood for Personal Homepage, before the script evolved into a much more complex language. It's best known for letting developers create more-easily modified Web sites based entirely on a collection of open-source software known as LAMP, which includes the Linux operating system, the Apache Web server, the MySQL database, and PHP or Python scripting languages. Survey firm Netcraft estimates that nearly nine million Web servers, about 64 percent, use Apache, and because of PHP's popularity, a large fraction of those sites are likely to have the software installed.
The flaws affect mainly Web sites running on Linux and Solaris operating systems. However, one flaw also affects Microsoft operating systems running versions 3.0.10 to 3.0.18 of the PHP module, according to an advisory released by German security and Internet software company e-Matters.
In the past, Microsoft's Internet Information Server has had a slew of problems with flaws in its components that allowed hackers and worms to break in. This time, the software appears to be less vulnerable to the PHP flaw.
The flaws, a collection of heap overflows and problematic boundary checks, could crash vulnerable servers or allow attackers full access to them, said the advisory. Different flaws affect various versions of PHP, from 3.0.10 to 4.1.1.
Ullrich and the PHP Web site recommend that Linux and Solaris Web sites using PHP upgrade their software to the latest version, 4.1.2, which solves the problem.
The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University also warned of the flaw Wednesday.
Ullrich said the problems posed by the vulnerabilities are heightened because security experts are uncertain how widely knowledge of the flaws has spread.
"There are these two camps. The disclosure people shout and say they have a new exploit," Ullrich said, referring to "exploit code," or programs capable of taking advantage of the software flaws, "and the non-disclosure people hold on to it and use it to attack certain sites, and trade them in IRC chat rooms."
Ullrich believes the latter group may have had exploit code for as long as a month.