[WBEL-users] Severe PHP vulnerability??
Dave J. Hala Jr.
dave@58ghz.net
Mon, 20 Dec 2004 14:53:08 -0600
I have a RHEL Subscription and I haven't seen a email regarding an
update for this issue yet.
My advice to you is to not run the applications listed in the bulletin
until there is an update.
On Mon, 2004-12-20 at 14:15, Pucky Loucks wrote:
> I just got this 1 hour ago on my production servers using phpbb. does
> anyone know if this is a full fledge compromise or is this a script
> kitty. If I can help in any way Mike, just let me know.
>
> thanks,
> Pucky
> On 20-Dec-04, at 11:51 AM, Mike Staver wrote:
>
> > I sent out an email with an attachment for people to check out, but
> > apparently the list doesn't accept attachments without approval.
> > Basically, I was just saying that I've been comprimised by this new
> > security hole already. A worm called the NeverEverNoSanity WebWorm
> > generation 9. I can't find squat on google about this, so all I have
> > done right now is kill apache. Every php file on my entire system
> > that was web accessible has been replaced with this lovely text:
> >
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <HTML><HEAD>
> > <TITLE>This site is defaced!!!</TITLE>
> > </HEAD><BODY bgcolor="#000000" text="#FF0000">
> > <H1>This site is defaced!!!</H1>
> > <HR>
> > <ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
> > </BODY></HTML>
> >
> > So, my point is, updated PHP rpms would be appreciated. Also, I want
> > to throw time at this to make a contribution to the project - can
> > somebody tell me how to snag the source if any update RH updates
> > exist, and then how to roll them for WBEL?
> >
> > Johnny Hughes wrote:
> >> On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
> >>> Hello all,
> >>>
> >>> By now I'm sure everyone is aware of the major vulnerability with PHP
> >>> versions prior to 4.3.9 or 5.0.2. There are actually a number of
> >>> different problems, but all (except one, which is currently being
> >>> exploited) are only problems for hosts which allow users to create
> >>> their
> >>> own PHP pages. The one remotely exploitable attack, which deals
> >>> with the
> >>> unserialize() call (and on Athlon64 systems has been demonstrated to
> >>> execute shell code with the privileges of the web server process), is
> >>> widely used.
> >>>
> >>> http://www.hardened-php.net/advisories/012004.txt
> >>>
> >>> What are other WBEL users doing to protect themselves? The only
> >>> updates I
> >>> have found are source code downloads of PHP 4.3.10 or 5.0.3, and
> >>> from what
> >>> I hear it's a royal pain to recomple PHP and all the drivers. WBEL
> >>> has
> >>> version 4.3.2.
> >>>
> >>> Does anyone know of a solution to this, while we wait for RedHat to
> >>> release an official RHEL fix? Does someone know where the
> >>> unserialize
> >>> problem is and how to fix it - perhaps I could backport the fix to
> >>> the
> >>> 4.3.2 WBEL packages. I'll do some research and let everyone know.
> >> These packages are released, but unsupported for RHEL3:
> >> http://people.redhat.com/jorton/Taroon-php/
> >> _______________________________________________
> >> Whitebox-users mailing list
> >> Whitebox-users@beau.org
> >> http://beau.org/mailman/listinfo/whitebox-users
> >
> > --
> >
> > -Mike Staver
> > staver@fimble.com
> > mstaver@globaltaxnetwork.com
> > _______________________________________________
> > Whitebox-users mailing list
> > Whitebox-users@beau.org
> > http://beau.org/mailman/listinfo/whitebox-users
> >
> >
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
--
Open Source Information Systems (OSIS)
Dave J. Hala Jr. <dave@osis.us>
641.485.1606