Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Critical PHP bug patched - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical PHP bug patched

Just about a month ago, PHP 5.3.9 was released, which included a patch for the "hash collision" problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December).

PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a "max_input_var" parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.

Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.

Today, the PHP team released PHP 5.3.10 to address the issue.

If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug

If you are running PHP 5.3.8: DO NOT UPGRADE TO 5.3.9. I would actually recommend that you wait. 

Additionally, try to enable Suhosin if at all possible. There is a slight performance hit, but it is unlikely to break your web application unless you are already tight in resources. Many Linux distributions include Suhosin, so it may be pretty easy to set up.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler
The Redhat links for the various patches are as follows (subscription required)
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=13355

https://rhn.redhat.com/rhn/errata/details/Details.do?eid=13353

TexISO

19 Posts
thnx for sharing... I am going to follow this.
Tom

5 Posts

Sign Up for Free or Log In to start participating in the conversation!