If you or your customers run PHPKIT, patch it NOW!
A while back, I reported several vulnerabilities in PHPKIT to the vendors. Although not very well-known in the rest of the world, there’s an abundance of installations of this product in german-speaking countries, since it is very easy to install, provides a german user (and administration) interface and has about the same feature set as the infamous PHP-Nuke.
After I reported the vulnerability, no response whatsoever was received. I phoned the vendor, and they told me something about an ominous “community release” and that I should report the issues in their forum. Hell yeah. I gave the advisory (including PoC for each hole) to the forum administrator and told them to get a fix out of the door. They responded in a very weird fashion, but allegedly fixed the bugs and released an inofficial patch in the forum.
Read on for why this is bad and what happened...
In the web-based world and especially with products that have a rather nonprofessional target audience (such as forums, low-tech “CMSes”, clan site kits, guest books), patches in general tend to propagate quite slowly. Most software does not have a clearly communicated update channel or the possibility to even auto-check for critical upgrades. Even worse, some vendors silently discontinued their support and left a large install base unpatched. This seemed to be the case for PHPKIT - nobody seemed to care much and only a third party provided the support and updates that are the vendor’s obligation. And this for a commercial product. Not so good.
To put this negligence into perspective: The last change to the phpkit.de web site (apart from an obvious hot fix to close one of “my” holes) was in October, 2004. I take it that this also marked the last release version of PHPKIT. Microsoft, who are probably the incarnation of a vendor with a LOT of different versions with different bugs and a huge install base, have five (5) years of support for each of their products. Taken the fact that even with a significantly smaller install base, a bug in web based applications can be used to compromise well-connected, well-equipped machines, the decision not to release official patches for PHPKIT has to be viewed as not only customer unfriendly, but also outright dangerous and counterproductive for the general security level.
Back to the topic at hand: While researching for a totally unrelated topic, I got curious at some web sites I found with Google. I used the private PoC for the remote code execution hole in PHPKIT (it just does a phpinfo(), no phony stuff) to test the sites, which were mostly clan and modding/mapping sites - and found each of the three I tested to be vulnerable. Over three months after disclosure. Oh-kay.
That got me going and I typed up the usual version string for PHPKIT into the holy oracle (TM). It yielded quite a lot of results, of which I tested the first two pages (10 results per page) - and every single installation was still vulnerable. That’s already 2 Gbps of accumulated dDoS or spamming bandwidth for a bot network owner. Since the exploit is extremely easy (somewhere in the difficulty range of Mambo’s/Joomla’s GLOBALS exploit), I deem it a miracle that no-one has yet written a worm for it.
I didn’t release the full PoC to the lists, though, so might that be the reason? Is full disclosure /always/ the right thing to do?
Whatever, if you or your customers/friends/friends of friends/spouses/parents/yacht club happen to run a PHPKIT installation, what can you do? Head over to the forum at http://www.phpkit.de/ and check for security updates. Bug the vendor about it - you probably spent money buying the product, so have the vendor fix it. Install something else. Turn off register_globals.
