Topic: CRITICAL exploit on CGI mode PHP

[madadam]

If you are running PHP using CGI, particularly the PHP 5 CGI extension from here:

   http://wiki.contribs.org/PHP5

You need to be aware of a potentially disastrous unpatched vulnerability in PHP. This vulnerability will allow attackers to exploit your system and take control of it.

You can find out if you are vulnerable simply by adding ?-s to an URL, for example: www.yourdomain.com/inpdex.php?-s

Here is further information on the exploit with some work-arounds:

   http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Adam

[CharlieBrady]

This post should be in the Contribs 7.X forum, should it not?

[jameswilson]

Adam, how would it be fixed in sme?

[Stefano]

Adam, how would it be fixed in sme?

I don't think so.. you should move to SME8 or don't use php5 cgi on SME7

[jameswilson]

unfortunatly i do have this. They are production machines so whilst i am testing b7 id rather not upgrade them yet.

[cactus]

I don't think so.. you should move to SME8 or don't use php5 cgi on SME7

A fix was applied and suggested, but there is some discussion on the internet that the patch is not fixing the issue, but here is the page from the guys who reported the issue first: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ including technical information.

[Stefano]

I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi

[jameswilson]

ok ill try an upgrade tomorrow after the nightly backups have completed.

[madadam]

This post should be in the Contribs 7.X forum, should it not?

You could be right Charlie. I debated with myself on that but decided it was a very important issue that everyone running SME server with PHP should be aware of so therefore I used this forum. However I'm happy to abide if you think it should be moved.

Adam

[madadam]

Adam, how would it be fixed in sme?

Hi James,

There are a number of so-called solutions around, though none are perfect. The link I original provided has a wrapper for the PHP-CGI binary and a patch for PHP itself.

PHP.net takes another tack and suggests using Apache mod_rewrite in the .htaccess file:

Code: [Select]

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Visit the www.php.net site for more info on that.

Post again here if you have any problems, and I and hopefully others will help.

Adam

[madadam]

I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi

Hi Stafano,

I agree that we all need to move to SME 8 ASAP. I have a number of machines on SME 8 b7 which are running fine but I'm holding off for SME 8 RC1 before I  move everything across. I personally don't like using betas on production machines and then updating them when the release version comes out even though it *should* be fine.

I prefer to wait to RC versions which I feel much more comfortable YUM updating when the full release version is made available. The machines I have using SME 8 b7 can easily be rebuilt if necessary but the remaining machines are more involved hence I'm waiting at least for RC1.

Adam

[crazybob]

I am using 7.5.1, and have made the changes to .htaccess on the two I-bays that I am using php5-cgi in. It worked great.

I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.

[mmccarn]

I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.

Can't you just locate the folder containing the zarafa webaccess code and add/modify the .htaccess in that folder?

[crazybob]

I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.

[madadam]

I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.

Hi crazybob,

Have you issued the following DB command to allow the .htaccess override within the iBay?

Code: [Select]

db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME
Cheers,

Adam

[crazybob]

Yes, that worked for the 2 i-bays i am using the php5-cgi in, but zarafa webaccess .htaccess is in the /usr/share/zarafa-webshare folder. I am not sure how to make the additions activate.

Bob

[madadam]

Yes, that worked for the 2 i-bays i am using the php5-cgi in, but zarafa webaccess .htaccess is in the /usr/share/zarafa-webshare folder 

Ahh, I see. You'll need to create a custom template segment of the /etc/httpd/conf/httpd.conf file in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf folder in which you explicitly set AllowOverride All for example:

Code: [Select]

<Directory /usr/share/zarafa-webshare>
  AllowOverride All
  [Other options - see search current httpd.conf file for this segment to see]
</Directory> 

Hope this brief overview helps.

Adam

[crazybob]

I have a fragment that set zarafa webaccess to use php5-cgi

Code: [Select]

<Directory /usr/share/zarafa-webaccess>
       AddHandler php5-cgi .php
       Action php5-cgi /php5-cgi/php-cgi
</Directory>

Should I be able to insert AllowOverride All into this fragment, or will I need to make a new fragment?

[madadam]

I have a fragment that set zarafa webaccess to use php5-cgi

Code: [Select]

<Directory /usr/share/zarafa-webaccess>
       AddHandler php5-cgi .php
       Action php5-cgi /php5-cgi/php-cgi
</Directory>

Should I be able to insert AllowOverride All into this fragment, or will I need to make a new fragment?

Yes, simply add the AllowOverride All parameter to this block and expand the httpd.conf template.

Adam

[crazybob]

I inserted as per discussion, but when I test webaccess, it still shows the source code. I also verified that the suggested code was in the .htaccess file.

Bob

[janet]

crazybob

restart
httpd-e-smith
zarafa
and
php
or just do a reboot

[crazybob]

Thanks Mary, I just preformed an reboot, and no change, it still shows the source code when I test it.

[madadam]

Thanks Mary, I just preformed an reboot, and no change, it still shows the source code when I test it.

OK, first off determine whether or not Apache is reading the .htaccess file. If not you will need to go through and read what's going on in the complete httpd.conf file to make sure nothing is overriding your setting. You could also try doing the mod_rewrite in the httpd.conf custom template segment thereby bypassing the need for a .htaccess file in the first place.

Good luck!

Adam

[madadam]

BTW Bob you could try making *temporary* changes directly to the httpd.conf file, making sure you restart the service as Mary said. It will be a faster way to figure out what's going on. When you've nutted it out then use custom template segments to make the changes permanent.

Adam

[janet]

crazybob

Maybe this is useful
http://wiki.contribs.org/Htaccess

[CharlieBrady]

Adam, how would it be fixed in sme?

There is nothing to fix in SME, as SME does not have this flaw (does not operate PHP in CGI mode).

[CharlieBrady]

You could also try doing the mod_rewrite in the httpd.conf custom template segment thereby bypassing the need for a .htaccess file in the first place.

That's exactly what people should be doing - add the appropriate rewrite entries in the httpd template fragment which enables the php-cgi for particular URLs. .htaccess is only there for people who don't control httpd.conf, or for (probably unsafe) applications which make their own changes on the fly via changes in .htaccess.

[madadam]

That's exactly what people should be doing - add the appropriate rewrite entries in the httpd template fragment which enables the php-cgi for particular URLs. .htaccess is only there for people who don't control httpd.conf, or for (probably unsafe) applications which make their own changes on the fly via changes in .htaccess.

Yes, exactly. Unfortunately I still need to use PHP5-cgi on one of my SME 7 machines, I'm waiting until SME 8 RC 1 before I consider moving everything over to SME 8. Currently I have some machines on SME 8 b7 but only because they can be quickly and easily rebuilt if need be. So fingers crossed!

Thanks for the feedback Charlie!

Adam

[crazybob]

I tried putting the entries in the appropriate fragment, and still no luck. the fragment looks like this now

Code: [Select]

<Directory /usr/share/zarafa-webaccess>
       AddHandler php5-cgi .php
       Action php5-cgi /php5-cgi/php-cgi
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
</Directory>
Is there anything I am missing?

Bob

[cactus]

I tried putting the entries in the appropriate fragment, and still no luck. the fragment looks like this now

Code: [Select]

<Directory /usr/share/zarafa-webaccess>
       AddHandler php5-cgi .php
       Action php5-cgi /php5-cgi/php-cgi
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
</Directory>
Is there anything I am missing?

I don't know, but shouldn't RewriteCond rules and the like not be placed outside Location and Directory blokcks like so?

Code: [Select]

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

<Directory /usr/share/zarafa-webaccess>
       AddHandler php5-cgi .php
       Action php5-cgi /php5-cgi/php-cgi
</Directory>


[crazybob]

Cactus, Just tried it that way, expanded and restarted,  and still doesn't pass the test

even though it may not be a bug in sme, should I open a bug report?