Koozali.org formerly Contribs.org

CRITICAL exploit on CGI mode PHP

CRITICAL exploit on CGI mode PHP
« on: May 08, 2012, 07:31:43 AM »
If you are running PHP using CGI, particularly the PHP 5 CGI extension from here:

   http://wiki.contribs.org/PHP5

You need to be aware of a potentially disastrous unpatched vulnerability in PHP. This vulnerability will allow attackers to exploit your system and take control of it.

You can find out if you are vulnerable simply by adding ?-s to an URL, for example: www.yourdomain.com/inpdex.php?-s

Here is further information on the exploit with some work-arounds:

   http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Adam
...

Re: CRITICAL exploit on CGI mode PHP
« Reply #1 on: May 08, 2012, 02:32:04 PM »
This post should be in the Contribs 7.X forum, should it not?

Re: CRITICAL exploit on CGI mode PHP
« Reply #2 on: May 08, 2012, 05:37:14 PM »
Adam, how would it be fixed in sme?

Offline Stefano

  • *
  • 10,805
  • Skype account: maghissimo
    • Smeserver italian community
Re: CRITICAL exploit on CGI mode PHP
« Reply #3 on: May 08, 2012, 05:51:23 PM »
Adam, how would it be fixed in sme?

I don't think so.. you should move to SME8 or don't use php5 cgi on SME7
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Re: CRITICAL exploit on CGI mode PHP
« Reply #4 on: May 08, 2012, 06:02:11 PM »
unfortunatly i do have this. They are production machines so whilst i am testing b7 id rather not upgrade them yet.

Offline cactus

  • *
  • 4,880
    • http://www.snetram.nl
Re: CRITICAL exploit on CGI mode PHP
« Reply #5 on: May 08, 2012, 06:06:58 PM »
I don't think so.. you should move to SME8 or don't use php5 cgi on SME7
A fix was applied and suggested, but there is some discussion on the internet that the patch is not fixing the issue, but here is the page from the guys who reported the issue first: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ including technical information.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,805
  • Skype account: maghissimo
    • Smeserver italian community
Re: CRITICAL exploit on CGI mode PHP
« Reply #6 on: May 08, 2012, 06:07:33 PM »
I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Re: CRITICAL exploit on CGI mode PHP
« Reply #7 on: May 08, 2012, 06:11:40 PM »
ok ill try an upgrade tomorrow after the nightly backups have completed.

Re: CRITICAL exploit on CGI mode PHP
« Reply #8 on: May 09, 2012, 03:01:46 AM »
This post should be in the Contribs 7.X forum, should it not?

You could be right Charlie. I debated with myself on that but decided it was a very important issue that everyone running SME server with PHP should be aware of so therefore I used this forum. However I'm happy to abide if you think it should be moved.

Adam
...

Re: CRITICAL exploit on CGI mode PHP
« Reply #9 on: May 09, 2012, 03:10:15 AM »
Adam, how would it be fixed in sme?

Hi James,

There are a number of so-called solutions around, though none are perfect. The link I original provided has a wrapper for the PHP-CGI binary and a patch for PHP itself.

PHP.net takes another tack and suggests using Apache mod_rewrite in the .htaccess file:

Code: [Select]
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Visit the www.php.net site for more info on that.

Post again here if you have any problems, and I and hopefully others will help.

Adam
...

Re: CRITICAL exploit on CGI mode PHP
« Reply #10 on: May 09, 2012, 03:15:55 AM »
I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi

Hi Stafano,

I agree that we all need to move to SME 8 ASAP. I have a number of machines on SME 8 b7 which are running fine but I'm holding off for SME 8 RC1 before I  move everything across. I personally don't like using betas on production machines and then updating them when the release version comes out even though it *should* be fine.

I prefer to wait to RC versions which I feel much more comfortable YUM updating when the full release version is made available. The machines I have using SME 8 b7 can easily be rebuilt if necessary but the remaining machines are more involved hence I'm waiting at least for RC1.

Adam
...

Re: CRITICAL exploit on CGI mode PHP
« Reply #11 on: May 09, 2012, 05:40:24 AM »
I am using 7.5.1, and have made the changes to .htaccess on the two I-bays that I am using php5-cgi in. It worked great.

I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.
If you think you know whats going on, you obviously have no idea whats going on!

Offline mmccarn

  • *
  • 2,567
Re: CRITICAL exploit on CGI mode PHP
« Reply #12 on: May 09, 2012, 01:39:47 PM »
I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.
Can't you just locate the folder containing the zarafa webaccess code and add/modify the .htaccess in that folder?

Re: CRITICAL exploit on CGI mode PHP
« Reply #13 on: May 09, 2012, 07:13:18 PM »
I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.
If you think you know whats going on, you obviously have no idea whats going on!

Re: CRITICAL exploit on CGI mode PHP
« Reply #14 on: May 10, 2012, 03:00:16 AM »
I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.

Hi crazybob,

Have you issued the following DB command to allow the .htaccess override within the iBay?

Code: [Select]
db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

Cheers,

Adam
...