store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Oct 20, 2014 8:30 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: PHP 5.3.10 with critical security fix
Unread postPosted: Fri Feb 03, 2012 6:50 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Security Fixes in PHP 5.3.10:

* Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

http://www.php.net/archive/2012.php#id2012-02-02-1

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: PHP 5.3.10 with critical security fix
Unread postPosted: Fri Feb 03, 2012 10:00 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
ASL protects against this vulnerability. The vulnerability in PHP 5.3.9 is actually in the PHP code that was added to prevent the hash collision attacks (which ASL also protects from). You can ironicly only succeed with the new attack if you send a payload with more than 1000 variables (or whatever you set your max to with PHP). 5.39 added a new limit to prevent the has DOS attack, the default is that if you exceed the limit of 1000 variables (in PHP) that PHP requests is denied. The bug is that the new PHP code has a flaw, which basically lets the 1000+ variables fill up buffers and do nasty things, instead of block them.

ASL independently won't allow above 1000 variables, so the exploit payload is rejected and will never reach the webserver. Additionally, the kernel protects against various types of code injection attacks, which adds another layer.

So, if you are using ASL, you are protected from this exploit so this is not critical for you. If you are using our real time rules or ASL without the ASL kernel, you are protected from remote exploits of this, but thats your only layer (you do not have kernel protection).

If you are not running either, and you are running 5.3.9 then you do have a vulnerability. Even if you arent using 5.3.9 you may need to upgrade if your vendor backported the new code to an older version of PHP.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: PHP 5.3.10 with critical security fix
Unread postPosted: Fri Feb 03, 2012 2:01 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
RHEL/CentOS has already released PHP updates with fixes for this issue. I see 5.3.10 is also already in the atomic channel. People, start your upgrading engines!

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: PHP 5.3.10 with critical security fix
Unread postPosted: Fri Feb 03, 2012 7:47 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Quote:
People, start your upgrading engines!


Unless you are running ASL, in which case, no rush. :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group