lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200603282051.00104.tonu@jes.ee>
Date: Tue, 28 Mar 2006 20:51:00 +0300
From: Tõnu Samuel <tonu@....ee>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Critical PHP bug - act ASAP if you are running
	web with sensitive data


On Tuesday 28 March 2006 15:55, Tõnu Samuel wrote:
> Hi everybody!
>
> I want to tell that pretty nasty bug was discovered in PHP (all tested
> versions were vulnerable). I do not want to disclose much details as it may
> hurt many websites. I expect PHP team to make patch first.
>
> There is simple way to protect yourself against this bug if you put some
> code in beginning of every source code looking for weird ASCII bytes before
> any other code. Make some kind of "white-list" for characters you allow and
> deny everything else.

I got lot of mails about topic, so I try to make FAQ here.

Q: Is it remote or local exploit?
A: Both. Works 100% for local and less for remote.

Q: Looking weird ascii WHERE?
A: in $_GET, $_POST, $_COOKIE and $_REQUEST. This should help in most cases.

Q: Why did you posted so few information?
A: More seems to be dangerous. I hope this case it is possible to fight 
problem before real 0day is coming out.

Q: Which exact PHP versions are affected?
A: I believe ALL of them. I am running 5.0.4 coming with SuSE 10 and all 
updates but I received reports for other distributions and PHP 4 and 5 both 
are vulnerable.

One more thing - many people mail me from public webmail accounts telling "I 
am the admin of big bank, can you tell details?". Sorry, I do not know if you 
are real or not. 

   Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ