FYI
---------- Forwarded Message ----------
Subject: Re: Rumours about Apache 1.3.22 exploits
Date: Wed, 27 Feb 2002 06:20:10 -0600
From: H D Moore <hdm@digitaloffense.net>
To: "TD - Sales International Holland B.V." <td@salesint.com>
Check out the PHP page, it containts a link to the relevant security holes:
http://www.php.net/
On Wednesday 27 February 2002 05:13 am, TD - Sales International Holland B.V.
wrote:
> On Wednesday 27 February 2002 22:59, you wrote:
> > On Wednesday 27 February 2002 03:11 am, TD - Sales International Holland
> > B.V.
> >
> > wrote:
> > > On Tuesday 26 February 2002 15:34, you wrote:
> > >
> > > Hmm but you would need a script with that function in it then or some
> > > way to make the script use that function then right?
> >
> > No, the code which decodes the mime stuff happens before even executing
> > the script contents, so any PHP script could be used to compromise the
> > box.
>
> Ah, I thought it was an email mime function. But I guess the exploit is in
> the MIME decode of the POST stuff then, is that correct? Are there any
> things I can do to prevent it? My PHP IS compiled as DSO, I wanted to do
> that for the SSL also, but I messed up with the apache ./configure command,
> I forgot to --enable-shared ssl :-(. Oh well, no need to recompile SSL
> anyways. Any ideas when PHP will be fixed?
>
> kind regards
>
> > > I'm just looking if I'm
> > > vulnerable. Kinda worried.... Only got 2 days to go here and I just
> > > compile 1.3.22 with PHP 4.0.6 and SSL totally from scratch a while back
> > > and I don't feel like doing it again as I'm in a short time-span. But
> > > if we have to, we have to.....
> > >
> > > What do you recommend?
> >
> > Rebuild, compile as a DSO module, next time just upgrade the php module
> > ;)
> >
> > > Kind regards & thanks for the reply
> > >
> > > > On Tuesday 26 February 2002 02:44 am, TD - Sales International
> > > > Holland B.V.
> > > >
> > > > wrote:
> > > > > On Monday 25 February 2002 14:32, you wrote:
> > > > >
> > > > > Hmm, but these bugs would only be exploitable then if you could PHP
> > > > > page on the server or not? AFAIK you can't have PHP execute
> > > > > commands that aren't in a file on the server right?
> > > >
> > > > No, remotely exploitable, no access needed.
-------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------- Forwarded Message ----------
Subject: Re: Rumours about Apache 1.3.22 exploits
Date: Wed, 27 Feb 2002 06:20:10 -0600
From: H D Moore <hdm@digitaloffense.net>
To: "TD - Sales International Holland B.V." <td@salesint.com>
Check out the PHP page, it containts a link to the relevant security holes:
http://www.php.net/
On Wednesday 27 February 2002 05:13 am, TD - Sales International Holland B.V.
wrote:
> On Wednesday 27 February 2002 22:59, you wrote:
> > On Wednesday 27 February 2002 03:11 am, TD - Sales International Holland
> > B.V.
> >
> > wrote:
> > > On Tuesday 26 February 2002 15:34, you wrote:
> > >
> > > Hmm but you would need a script with that function in it then or some
> > > way to make the script use that function then right?
> >
> > No, the code which decodes the mime stuff happens before even executing
> > the script contents, so any PHP script could be used to compromise the
> > box.
>
> Ah, I thought it was an email mime function. But I guess the exploit is in
> the MIME decode of the POST stuff then, is that correct? Are there any
> things I can do to prevent it? My PHP IS compiled as DSO, I wanted to do
> that for the SSL also, but I messed up with the apache ./configure command,
> I forgot to --enable-shared ssl :-(. Oh well, no need to recompile SSL
> anyways. Any ideas when PHP will be fixed?
>
> kind regards
>
> > > I'm just looking if I'm
> > > vulnerable. Kinda worried.... Only got 2 days to go here and I just
> > > compile 1.3.22 with PHP 4.0.6 and SSL totally from scratch a while back
> > > and I don't feel like doing it again as I'm in a short time-span. But
> > > if we have to, we have to.....
> > >
> > > What do you recommend?
> >
> > Rebuild, compile as a DSO module, next time just upgrade the php module
> > ;)
> >
> > > Kind regards & thanks for the reply
> > >
> > > > On Tuesday 26 February 2002 02:44 am, TD - Sales International
> > > > Holland B.V.
> > > >
> > > > wrote:
> > > > > On Monday 25 February 2002 14:32, you wrote:
> > > > >
> > > > > Hmm, but these bugs would only be exploitable then if you could PHP
> > > > > page on the server or not? AFAIK you can't have PHP execute
> > > > > commands that aren't in a file on the server right?
> > > >
> > > > No, remotely exploitable, no access needed.
-------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org