PHP Hits the Mainstream: Gets worm to prove it!

We have had some interesting security-related news in our world these last couple of weeks. You may want to read on if you are running:

  • php < 4.3.10
  • php < 5.0.3
  • phpBB < 2.0.11

Also, I’ve added a little trick you might be interested in to keep your services safe. This is especially imporant if you use a shared host, and don’t have access to update your own software. Read on for more…

As Eric pointed out in the Forums, PHP 4.3.10 and 5.0.3 are now out. You really need to look into ugrading to one of these as soon as possible.

Also, a new worm targeting phpBB has been written. This initial version used a flaw in phpBB’s highlighting code to deface your site with the worm. Then, the worm would use google to find phpBB sites that had not yet been upgraded to infect. You can read more about it on [url]

While google has stopped returning requests related to this worm, that doesn’t mean a new variant that uses a different (read:lesser) engine won’t pop up soon.

As “akiy” on slashdot posted:

It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven’t yet!

I have to take his word on this, because I can’t get to [url][/url] right now.

Happy Patching!! Don’t forget to try it in your test environments first if you have one!!

Also, a pretty reliable way to keep things like this from happening is to run your php scripts using a different user than the one that can write to your files.

For example, your website runs phpBB. All of the files are owned by qb_admin, and are read-only to everyone else. Then, PHP runs as qb_cgi. The qb_cgi user has no files…maybe some jpeg’s in an upload or avatar directory, but that’s it. If php or your scripts get compromised, the worst thing they could do is jack with your data…but your code would still be clean and intact.

If your php runs as an apache module in Linux, it is probably running as nobody…and unless your permissions allow anyone to write to your files you are probably ok.

I’m not sure how you would do this in windows though. (I have some fuzzy recollections about IIS_USER and the everyone group, or something) Anyone care to enlighten us?

Be safe out there!