| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200603282051.00104.tonu@jes.ee> Date: Tue Mar 28 19:01:14 2006 From: tonu at jes.ee (Tõnu Samuel) Subject: Critical PHP bug - act ASAP if you are running web with sensitive data On Tuesday 28 March 2006 15:55, T?nu Samuel wrote: > Hi everybody! > > I want to tell that pretty nasty bug was discovered in PHP (all tested > versions were vulnerable). I do not want to disclose much details as it may > hurt many websites. I expect PHP team to make patch first. > > There is simple way to protect yourself against this bug if you put some > code in beginning of every source code looking for weird ASCII bytes before > any other code. Make some kind of "white-list" for characters you allow and > deny everything else. I got lot of mails about topic, so I try to make FAQ here. Q: Is it remote or local exploit? A: Both. Works 100% for local and less for remote. Q: Looking weird ascii WHERE? A: in $_GET, $_POST, $_COOKIE and $_REQUEST. This should help in most cases. Q: Why did you posted so few information? A: More seems to be dangerous. I hope this case it is possible to fight problem before real 0day is coming out. Q: Which exact PHP versions are affected? A: I believe ALL of them. I am running 5.0.4 coming with SuSE 10 and all updates but I received reports for other distributions and PHP 4 and 5 both are vulnerable. One more thing - many people mail me from public webmail accounts telling "I am the admin of big bank, can you tell details?". Sorry, I do not know if you are real or not. T?nu
Powered by blists - more mailing lists