PHP Hits the Mainstream: Gets worm to prove it!

We have had some interesting security-related news in our world these last couple of weeks. You may want to read on if you are running:

  • php < 4.3.10
  • php < 5.0.3
  • phpBB < 2.0.11

Also, I’ve added a little trick you might be interested in to keep your services safe. This is especially imporant if you use a shared host, and don’t have access to update your own software. Read on for more…

As Eric pointed out in the Forums, [url=http://www.php.net/ChangeLog-4.php#4.3.10]PHP 4.3.10[/url] and [url=http://www.php.net/ChangeLog-5.php#5.0.3]5.0.3[/url] are now out. You really need to look into ugrading to one of these as soon as possible.

Also, a new worm targeting phpBB has been written. This initial version used a flaw in phpBB’s highlighting code to deface your site with the worm. Then, the worm would use google to find phpBB sites that had not yet been upgraded to infect. You can [url=http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169[/url] read more about it on [url]slashdot.org[/url].

While google has stopped returning requests related to this worm, that doesn’t mean a new variant that uses a different (read:lesser) engine won’t pop up soon.

As “akiy” on slashdot posted:
[quote]It looks like the latest [url=http://www.phpbb.com/phpBB/viewtopic.php?t=244451]phpBB version 2.0.11[/url] or a [url=http://www.phpbb.com/phpBB/viewtopic.php?t=240513]simple patch[/url] will thwart the worm, though. Time to upgrade if you haven’t yet![/quote]

I have to take his word on this, because I can’t get to [url]phpbb.org[/url] right now.

Happy Patching!! Don’t forget to try it in your test environments first if you have one!!

Also, a pretty reliable way to keep things like this from happening is to run your php scripts using a different user than the one that can write to your files.

For example, your website quantumbagel.com runs phpBB. All of the files are owned by qb_admin, and are read-only to everyone else. Then, PHP runs as qb_cgi. The qb_cgi user has no files…maybe some jpeg’s in an upload or avatar directory, but that’s it. If php or your scripts get compromised, the worst thing they could do is jack with your data…but your code would still be clean and intact.

If your php runs as an apache module in Linux, it is probably running as nobody…and unless your permissions allow anyone to write to your files you are probably ok.

I’m not sure how you would do this in windows though. (I have some fuzzy recollections about IIS_USER and the everyone group, or something) Anyone care to enlighten us?

Be safe out there!

2 thoughts on “PHP Hits the Mainstream: Gets worm to prove it!

  1. Re: PHP Hits the Mainstream: Gets worm to prove it!
    [url=http://www.php.net/]PHP.net[/url] has news on their opening page (dated 12/31/04) about this:
    [quote]
    A recent Web Worm known as NeverEverSanity exposed a mistake in the input validation in the popular phpBB message board application. Their highlighting code didn’t account for double-urlencoded input correctly. Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the filesystem you create a potential security problem. [color=FF0000]Despite some confusion regarding the timing of some unrelated PHP security fixes and the NeverEverSanity worm, the worm didn’t actually have anything to do with a security problem in PHP[/color].[/quote]
    Read the whole article as it has some information about security that newbies such as myself are ignorant.
  2. Re: PHP Hits the Mainstream: Gets worm to prove it!
    In IIS, the anonymous person browsing your site uses IUSR_Machine-name to access your webpages. the IUSR only needs read access to your webpages., and unless you need write access don’t bother.

    Secondly, Windows assigns the EVERYONE group full access to all drives. This is a very bad….bad thing. The best thing to do is to reset all permissions at the root of the drive ( aka c:) and remove the everyone group from every drive. You’ll need to assign the Administrators group and SYSTEM full access and Authenticated users the default permissions which is read and execute I believe. Make sure you do all this while logged in as an Admin on the local server. Then goto the WWWROOT folder and assing the IUSR account read permissions to the website and you should be good to go.

    As a side note…I set these permissions up like this on all my servers whether its a webserver or not, just for the simple fact that the everyone group somehow is involved with just about every other exploit when it comes to microsoft. 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *