[WBEL-users] Severe PHP vulnerability??

Mike Staver staver@fimble.com
Mon, 20 Dec 2004 12:51:22 -0700 

I sent out an email with an attachment for people to check out, but 
apparently the list doesn't accept attachments without approval. 
Basically, I was just saying that I've been comprimised by this new 
security hole already.  A worm called the NeverEverNoSanity WebWorm 
generation 9.  I can't find squat on google about this, so all I have 
done right now is kill apache.  Every php file on my entire system that 
was web accessible has been replaced with this lovely text:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
</BODY></HTML>

So, my point is, updated PHP rpms would be appreciated.  Also, I want to 
throw time at this to make a contribution to the project - can somebody 
tell me how to snag the source if any update RH updates exist, and then 
how to roll them for WBEL?

Johnny Hughes wrote:
> On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
> 
>>Hello all,
>>
>>By now I'm sure everyone is aware of the major vulnerability with PHP
>>versions prior to 4.3.9 or 5.0.2.  There are actually a number of
>>different problems, but all (except one, which is currently being
>>exploited) are only problems for hosts which allow users to create their
>>own PHP pages.  The one remotely exploitable attack, which deals with the
>>unserialize() call (and on Athlon64 systems has been demonstrated to
>>execute shell code with the privileges of the web server process), is
>>widely used.
>>
>>http://www.hardened-php.net/advisories/012004.txt
>>
>>What are other WBEL users doing to protect themselves?  The only updates I
>>have found are source code downloads of PHP 4.3.10 or 5.0.3, and from what
>>I hear it's a royal pain to recomple PHP and all the drivers.  WBEL has
>>version 4.3.2.
>>
>>Does anyone know of a solution to this, while we wait for RedHat to
>>release an official RHEL fix?  Does someone know where the unserialize
>>problem is and how to fix it - perhaps I could backport the fix to the
>>4.3.2 WBEL packages.  I'll do some research and let everyone know.
> 
> 
> These packages are released, but unsupported for RHEL3:
> 
> http://people.redhat.com/jorton/Taroon-php/
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users

-- 

                                 -Mike Staver
                                  staver@fimble.com
                                  mstaver@globaltaxnetwork.com