NYCPHP Meetup

[inforequest]

Tim Gales tgales-at-tgaconnect.com |nyphp dev/internal group use| wrote:

>  
>
>>It looks like I got slammed by some new PHP vulnerablity. It first 
>>    
>>
>appeard 
>  
>
>>that what it did was to replace all your index pages with its own 
>>    
>>
>that 
>  
>
>>proclaims "This site is defaced!!!" and then 
>>    
>>
>includes ... "NeverEverNoSanity
>

There is a flaw in the highlight script for which manual hacks are 
available. There were also multiple security flaws in PHP <  version 
4.3.10 or 5.0.3 (Secunia):


An integer overflow in the "pack()" function....bypasses the safe_mode 
feature and allows execution of arbitrary code with the privileges of 
the web server.

An integer overflow in the "unpack()" function can be exploited to leak 
information stored on the heap by passing specially crafted parameters 
to the function.

An error within safe_mode when executing commands can be exploited to 
bypass the safe_mode_exec_dir restriction by injecting shell commands 
into the current directory name.

*** An error in safe_mode combined with certain implementations of 
"realpath()" can be exploited to bypass safe_mode via a specially 
crafted file path.

*** Various errors within the deserialization code can be exploited to 
disclose information or execute arbitrary code via specially crafted 
strings passed to the "unserialize()" function.

An unspecified error in the "shmop_write()" function may result in an 
attempt to write to an out-of-bounds memory location.

An unspecified error in the "addslashes()" function causes it to not 
escape "\0" correctly.

An unspecified boundary error exists in the "exif_read_data()" function 
when handling long section names.

An unspecified error within "magic_quotes_gpc" may allow a one-level 
directory traversal when uploading files.

Other potential security issues have also been reported.

(*** phpBB vulnerability is related to dependency on these)

As for phpBB:

Edit |overall_footer.tpl| and remove the version number
Consider using mod_rewrite to change the default file names, since they 
are used as search footprints
It is widely believed that you should de-link the members directory 
(memberlist.php) to avoid spam and ID-based cracking atempts. However, 
for SEO purposes, try linking that instead to a search results page 
showing all posts of that member (search.php?search_author=membername).
Check your forums description text. Crackers have hidden js within the 
description, which loads on user's browsers when viewed (logged in users :-)
Disallow remote avatars

Want to see the damage? Check out this search :
http://www.google.com/search?hl=en&lr=&q=%22This+site+is+defaced%21%21%21%22&btnG=Search

-=john andrews