Security Watch: Picking on PHP
I can just imagine the pickup lines: "Hey n00b, Id like to escalate my privileges with you!"
What this means for this here column is that I get to unfairly pick on one specific product that has been having some problems of late: PHP.
Yes, I know Ive already had a few columns on PHP; but its such a doggone attractive target to pick on!
I Want to Manage Your Content, Baby
First, theres PHP-Fusion, an offering from a British source. Its a "light-weight" (their description, not mine) open-source CMS (content management system) written in PHP.
It utilizes a mySQL database to store the site content and includes a simple, yet supposedly comprehensive administration system for the content.
"slacker4ever_1" has discovered vulnerability in PHP-Fusion, which can be exploited by malicious people to conduct script insertion attacks.
Input passed in nested "url" BBcode tags isnt properly sanitized before it is used in a post.
This can be exploited by remote users to inject arbitrary script code that will then be executed in a users browser session (in the context of an affected site) when the post generated by the remote malicious user is viewed by the attack target.
An example of the syntax that can cause this to happen is: text[url=[url= onmouseover=[code];//]][/url][/url]
The vulnerability has been confirmed in version 6.00.107.
The Fusion Web site shows no mention of this problem, nor does the "slacker4ever_1" user name turn up any hits in a search done on the PHP-Fusion member list.
The fix is simple, because this is open-source.
Sanitize the source code in your implementation. Walk the righteous path of passing input.
There is no current patch available, though a new version of PHP-Fusion is due out in October.
Bind Me, Anonymously
Alexander Gerasiov has reported a security issue to Secunia and Debian in phpLDAPadmin.
This can be exploited by malicious people to bypass certain security restrictions and bind anonymously.
The issue is due to an error in login.php when validating whether anonymous bind has been disabled in the configuration.
This can be exploited to access the LDAP server anonymously, even if anonymous bind has been disabled in the configuration with the "disable_anon_bind" statement.
Debian notes, "The old stable distribution (woody) is not vulnerable to this problem. For the stable distribution (sarge) this problem has been fixed in version 0.9.5-3sarge2. For the unstable distribution (sid) this problem has been fixed in version 0.9.6c-5."
So, the fix here is to upgrade your phpLDAPadmin to the correct version.
Crime Pays Lousy, and You Get Caught
In other news, a Toledo, Ohio, malfeaser plea-bargained a deal last week with prosecutors after carrying out DDoS attacks on a Web site that was competing with another satellite TV retailer.
The motive was purely money on Richard "Krashed" Robys part, but the 2003 attacks caused at least $120,000 of losses to the affected retailer.
Roby had 15,000 "Spybot zombies" under his control that were used in the attacks.
The FBI found him, grabbed him, and he faces 18 months to two years in the slammer.
Consider this well, all you script kiddies. Your turn may be next.
Larry Loeb was consulting editor for BYTE magazine and senior editor of WebWeek. He serves as a subject matter expert for the Department of Defenses Information Assurance Technology Analysis Center, and is on the American Dental Associations WG-1 and MD 156 electronic medical records working groups. Larrys latest book is "Hackproofing XML," published by Syngress (Rockland, Mass.). If youve got a tip for Larry, contact him at firstname.lastname@example.org.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.