Koozali.org: home of the SME Server

CRITICAL exploit on CGI mode PHP

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
CRITICAL exploit on CGI mode PHP
« on: May 08, 2012, 07:31:43 AM »
If you are running PHP using CGI, particularly the PHP 5 CGI extension from here:

   http://wiki.contribs.org/PHP5

You need to be aware of a potentially disastrous unpatched vulnerability in PHP. This vulnerability will allow attackers to exploit your system and take control of it.

You can find out if you are vulnerable simply by adding ?-s to an URL, for example: www.yourdomain.com/inpdex.php?-s

Here is further information on the exploit with some work-arounds:

   http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Adam
...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: CRITICAL exploit on CGI mode PHP
« Reply #1 on: May 08, 2012, 02:32:04 PM »
This post should be in the Contribs 7.X forum, should it not?

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: CRITICAL exploit on CGI mode PHP
« Reply #2 on: May 08, 2012, 05:37:14 PM »
Adam, how would it be fixed in sme?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: CRITICAL exploit on CGI mode PHP
« Reply #3 on: May 08, 2012, 05:51:23 PM »
Adam, how would it be fixed in sme?

I don't think so.. you should move to SME8 or don't use php5 cgi on SME7

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: CRITICAL exploit on CGI mode PHP
« Reply #4 on: May 08, 2012, 06:02:11 PM »
unfortunatly i do have this. They are production machines so whilst i am testing b7 id rather not upgrade them yet.

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: CRITICAL exploit on CGI mode PHP
« Reply #5 on: May 08, 2012, 06:06:58 PM »
I don't think so.. you should move to SME8 or don't use php5 cgi on SME7
A fix was applied and suggested, but there is some discussion on the internet that the patch is not fixing the issue, but here is the page from the guys who reported the issue first: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ including technical information.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: CRITICAL exploit on CGI mode PHP
« Reply #6 on: May 08, 2012, 06:07:33 PM »
I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: CRITICAL exploit on CGI mode PHP
« Reply #7 on: May 08, 2012, 06:11:40 PM »
ok ill try an upgrade tomorrow after the nightly backups have completed.

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: CRITICAL exploit on CGI mode PHP
« Reply #8 on: May 09, 2012, 03:01:46 AM »
This post should be in the Contribs 7.X forum, should it not?

You could be right Charlie. I debated with myself on that but decided it was a very important issue that everyone running SME server with PHP should be aware of so therefore I used this forum. However I'm happy to abide if you think it should be moved.

Adam
...

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: CRITICAL exploit on CGI mode PHP
« Reply #9 on: May 09, 2012, 03:10:15 AM »
Adam, how would it be fixed in sme?

Hi James,

There are a number of so-called solutions around, though none are perfect. The link I original provided has a wrapper for the PHP-CGI binary and a patch for PHP itself.

PHP.net takes another tack and suggests using Apache mod_rewrite in the .htaccess file:

Code: [Select]
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Visit the www.php.net site for more info on that.

Post again here if you have any problems, and I and hopefully others will help.

Adam
...

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: CRITICAL exploit on CGI mode PHP
« Reply #10 on: May 09, 2012, 03:15:55 AM »
I'm using SME8 in production since beta 5 without any issue..

you should move asap or stop using php5-cgi

Hi Stafano,

I agree that we all need to move to SME 8 ASAP. I have a number of machines on SME 8 b7 which are running fine but I'm holding off for SME 8 RC1 before I  move everything across. I personally don't like using betas on production machines and then updating them when the release version comes out even though it *should* be fine.

I prefer to wait to RC versions which I feel much more comfortable YUM updating when the full release version is made available. The machines I have using SME 8 b7 can easily be rebuilt if necessary but the remaining machines are more involved hence I'm waiting at least for RC1.

Adam
...

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: CRITICAL exploit on CGI mode PHP
« Reply #11 on: May 09, 2012, 05:40:24 AM »
I am using 7.5.1, and have made the changes to .htaccess on the two I-bays that I am using php5-cgi in. It worked great.

I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.
If you think you know whats going on, you obviously have no idea whats going on!

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: CRITICAL exploit on CGI mode PHP
« Reply #12 on: May 09, 2012, 01:39:47 PM »
I am also using Zarafa with php5-cgi, and I am not sure how to apply .htaccess to webaccess portion. Need a push in the right direction.
Can't you just locate the folder containing the zarafa webaccess code and add/modify the .htaccess in that folder?

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: CRITICAL exploit on CGI mode PHP
« Reply #13 on: May 09, 2012, 07:13:18 PM »
I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.
If you think you know whats going on, you obviously have no idea whats going on!

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: CRITICAL exploit on CGI mode PHP
« Reply #14 on: May 10, 2012, 03:00:16 AM »
I did try modifying the .htaccess in the appropriate folder, but it has no effect. I know if it is in an i-bay you need to make some db changes, but I am not sure how to get the zarafa webaccess to recognize the changes in the file.

Hi crazybob,

Have you issued the following DB command to allow the .htaccess override within the iBay?

Code: [Select]
db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

Cheers,

Adam
...