NYCPHP Meetup

[Hans Zaunere]

Anthony wrote:

> I'm (tenuously) responsibile for looking at php in my company and thought it
> isn't really approved for use yet, I was wondering if people could share any
> light on this "vulnerability". It's been discussed before, but I really need
> to know if this is something that is a threat: ie, could an external attacker
> get apache to dump logins and passwords to whatever place, or to get it to
> serve items not intended to be available?

No.  dlopen() is a powerful feature of the language, and with power comes ability.  When you load an extension into Apache/PHP, you would hope it could read the memory of that process; otherwise, it'd be pretty useless.

It's a real shame that securityfocus blindly registers this as a vulnerability.  I've emailed them twice, questioning who it was that actually submitted this, and whether they reviewed this as a true security hole.  I haven't heard from them yet.  Furthermore, if you dig on the internet for the author's name (who, I might add, doesn't supply any valid contact information) it becomes quite clear that it's some kid who just wanted to get their name on securityfocus.com.

I'd continue to be wary of securityfocus.com's claims, as this type of behavior isn't an isolated incident.

H