Dr. Christopher Kunz

The PHP team has announced PHP 5.4.3 and 5.3.13, fixing two separate security issues.

• CVE-2012-2311 and CVE-2012-1823 are both fixed now. These are the CVE numbers for the PHP-CGI bug that has been announced by Eindbazen last week, and extensively covered by myself in various posts.
  


• In addition, CVE-2012-2329 has been fixed, another issue in PHP-CGI. This was a heap overflow triggered by specially crafted HTTP headers and a script executing apache_request_headers().
  

I have tested my own exploit against the new version (5.4 only, I have no 5.3 setup) and there does not seem to be a possibility to exploit the vectors opened in CVE-2012-2311 and CVE-2012-1823. These issues seem to be fixed now. I have no exploit code for CVE-2012-2329, so I cannot make a statement if it is fixed yet. Update: I have tested Georg Wicherski’s PoC exploit against 5.4.3 and it seems that CVE-2012-2329 is now also fixed.

Read the announcement here: PHP 5.4.3/5.3.13 release announcement

The download page for PHP 5.4.3 is here, the download for 5.3.13 is over here.

A couple weeks ago, I blogged about PHPshield’s anonymous website, raising more than an eyebrow to the ominous business practices of hiding the true owner’s identity while selling a whitelabelled product.

To my great relief, Adrian responded quickly back then, but to my dismay it seemed like he was only paying lip service. I asked him again today via private mail and his response was swift. The whois entries for phpshield.com now point to his person and we can expect additional information on the web site itself soon.
I like it when things can be resolved like that and I actually think this is a chance for his product rather than a possible competition issue.

By clearly stating what differentiates phpshield from SourceGuardian (his flagship PHP encoding product), Adrian’s company, Inovica, can create user awareness and offer a possibility to make an informed decision for the product that actually fills their needs. I’m sure he thought about something like that already and of course it’s his decision. It’s just that I would probably try to do it that way if I had two products that are not identical, but being marketed in a similar environment.

Anyway, just wanted to update you folks on this rather positive outcome. Have a nice evening. I’ll be trolling again soon

Just by accident (you should never browse your feed reader directly before going to bed), I stumbled upon an incredibly self-ironic posting in some dude’s blog. I have to ask myself: What are you guys taking? Are you seriously discussing any kind of name-dropping as an interview subject?

It’s not only irrelevant who created a programming language, it’s even a hindrance for interviewers since all that small-talk bullshit takes precious time off the actual knowledge assessment. And I’ll be damned before I let someone who happens to know how Rasmus’s mother’s cat’s brother was named get in the way of an actual developer who knows what they are doing. Then again, I’m in the lucky position not to be able (or have to, depending on your PoV) to hire “PHP developers”.

This whole discussion is just fat bullshit. What are you thinking? I couldn’t give a fat fuck about people who know names. I don’t give a shit if someone knows that a dude wrote an, erm... “magazine” about security at O’Reilly or if some dude named Lerdorf thought it’s a great idea to do some dynamic web stuff. I want to know if people know their trade.

Really. It’s unbelievably ridiculous. Get a hold of yourselves. Are you really thinking that knowing names is worth ANYTHING?

Das hier schlug heute morgen in der mailbox webmaster ätt de-punkt.de auf. Die übliche langweilige Headeranalyse sparen wir uns mal, kommt eh’ aus einem Botnet (in diesem Fall aus dem schönen Argentinien... hm, Steak!). Interessant ist eigentlich nur der Inhalt:

To: <xxx@de-punkt.de>
Subject: Achtung, bitte Logindaten und Passwort bereithalten

Subject: ACHTUNG, gemeiner VIRUS. Dringend diese Datei auf Ihrem Webserver
einbinden
===============================

Sehr geehrte Damen und Herren,
im Moment werden Millionen Webserver von Viren befallen.
Bitte binden Sie unbedingt den Anhang zum Schutz auf Ihrer Webseite
in folgendes Verzeichnis ein:
www.de-punkt.de/robots.txt
Die Robots-Datei erstellen Sie mir Ihrem Editor:
__________________________________________
User-agent: *
Disallow: /
____________________________________________
Diese speichern Sie als robots.txt und binden Sie in Ihrem Hauptverzeichnis
ein.


Nur so ist sicher, dass kein Schaden entsteht indem Sie dem Virus
verbieten, Ihre Webseite zu besuchen.
Bitte beeilen Sie sich, da an diesem Wochenende mit einem erheblichen
Angriff zu rechnen ist.

Noch Fragen?

Internet-Security-Team
Meisenweg 11

47441 Moers

0900-8XXXXX2

Offenbar möchte da jemand, daß de-punkt.de seinen PR6 abgibt, indem wir einfach allen Bots den Zutritt zu unserer Website verwehren - denn nichts anderes steht in der “angehängten” robots.txt. Interessanter Ansatz des Social Engineering, stellen sich eigentlich nur zwei Fragen:

1. Wer fällt bitte auf so etwas rein?

2. Wer hat diese Mail noch bekommen?

Zu 2: Offenbar so einige, es gibt bereits diverse Blog- und Newseinträge, wenn man “Internet Security Team Moers” googled, so etwa hier, hier und hier.

Mein Kollege Jens Rehpöhler hat fleißig mitgefilmt und hier ist das Resultat:

Dieser Filmausschnitt ist der erste Teil meines Vortrags, die richtig fiesen Demos kamen später.

Without further ado: Hier die Slides im PDF-Format.

Hi,

just a real quick hotfix to the critical vulnerability described in this advisory:

<Files cmd.php>
Deny from All
</Files>

Put this into the .htaccess in your cacti directory and you should be good. This does not have any impact on the poller cronjob and does not require code or ini changes.

(Didn’t get to blog this earlier, sorry)
I was very surprised and disappointed to find a very harshly formulated FUD flyer in my conference bag that was obviously aiming at Typo3. I am talking about the anti-Typo3 tirade that “Flying Dog” uses to lobby their own commercial content management system. I’ve taken the liberty of scanning it and providing you with a rough translation (click thumbnail for a larger view).

Basically, it says “Would you entrust your content to these 3Types” on the crimson-red front, showing three bad clip-art mobsters. The cenral mobster turns up on the backside, showing his best gangster face and telling the reader that, “our opensource CMS is complex and can do a lot. It is user friendly for editors and has a lot of extensions: You can do almost everything with these. It has a large community. Apart from that, it’s free, opensource and therefore your first choice. Why use a commercial CMS?”

“Man, he’s right”, you might say. I would think so too, and actually this whole statement is entirely true. While you can probably say a lot against Typo3, it has all the features described. The UI needs a little getting used to, but most editors of online media I know are fine with it. Flying Dog software, the vendor of the Powerslave CMS, seems to think differently. They state so on the right side of their flyer, saying “There are modern myths that present themselves as a collective, irrational imagination”. You doggy guys are talking about flying spaghetti monsters, are you? Because good open-source PHP CMSes are not a myth, nor irrational - but they’re certainly modern. Some hints for you: eZ publish, Typo3, Papaya, Joomla. All of them surely have their up- and downsides, but doesn’t any product have these?

The last paragraph is a short “feature” list, more or less only marketing speak, with no contradiction or clarification on why the so-called “myths” are mythic at all. It’s ironic, though, to see the last bullet point (above the price): “10 years of experience in the area of conflict of open technologies and commercial software”.

There is no argumentative approach to the whole matter at all and I personally feel this flyer to be offensive to anybody who embraces OSS, sells products and suppot based on OSS and helps build OSS. I am quite convinced I will never recommend Powerslave to any one of my customers (I wouldn’t have anyway, Typo3 is fine for most) and the whole marketing campaign leaves a more than stale taste.

Is FUD the only way out for commercial vendors? Shouldn’t you find a USP for your product instead of spreading fear amongst your free competitors’ users? Should flying dogs try barking up different trees?

(Update: Turns out other blogs (german) have a more positive attitude towards this advertising. Doesn’t really surprise me, the ECM blog is a blog for commercial vendors obviously sSee comments for clarification on the last sentence.)

Yesterday morning, I went to see Ben Ramsey’s talk on filtering. Although it seemed that beer-induced sleep deprivation had taken its toll on Ben, he presented his audience with a couple of valuable insights. Basically, what he conveyed to me (and his blog entry supports this) was not to use ext/filter or Zend_Filter at all. Nearly every second slide regarding functions of the ZF component or the extension contained remarks like “This doesn’t work yet, it’s a TODO”, “this won’t validate XY properly” or - particularly hilarious - “this function validates phone numbers, but they have to be US ones”. Useful. I have, like, 0 US customers.

So basically, if I was getting Ben right, we have an extension enabled by default that is of very limited use whatsoever. Is that a good thing? I dunno.

Since I’m currently planning the second edition of my book “PHP-Sicherheit” (if you’re a US or UK publisher and want to publish a localized version, do contact me!), I was contemplating the thought of adding a couple of references to ext/filter in the various input filtering chapters. After Ben’s session, I am not sure anymore.
Will ext/filter get enough developer attention over the next 4 or 5 months so it can actually become universally usable?

Does it make sense to enable unfinished extensions by default?

In the “information gathering” chapter of my book “PHP-Sicherheit” and my presentations on the same topic, I usually talk about how incredibly weird stuff can end up in the source code of rather big web sites. While checking a number of sites for a specific vulnerability, I ended up finding the following stuff. I modified it so there’s no real information leakage and am currently trying to reach the respective vendors.

<!--
<table class=“debug” width=“100%”><tr><td>
<a target=“_blank” href=“/sys/admin/”>- Zur Admin-Seite</a><br>
<a target=“_blank” href=“http://someothersite.de.de/gui/”>- Styleguide</a><br>
<a target=“_blank” href=“/sys/info.php”>- Phpinfo ()</a><br>
<br>
<a href=“http://validator.w3.org/check/referer”><img border=“0” src=“http://www.w3.org/Icons/valid-html401” alt=“Valid HTML 4.01!” title=“Valid HTML 4.01!” height=“31” width=“88”></a>
</td></tr></table>
-->

Another nice one:

<!--DB-Error in Zeile 1712: DB Error: syntax error: / Layouttyp3: - / SELECT layouttyp.datei,layouttyp.name FROM layouttyp INNER JOIN teaserplatz ON teaserplatz.layouttyp_id=layouttyp.id INNER JOIN teasertyp ON easerplatz.teasertyp_id=teasertyp.id INNER JOIN dokument ON teaserplatz.dokument_id=dokument.id WHERE teaserplatz.pos=5,’erbt_layout’ AND dokument.id=14528 AND teasertyp.name=’sonder’-->
<!--Fehler: Datei /export/www/CONTENT/soim-80/docs/cms/teasermanager/teasersnippets/ nicht gefunden<br>-->
And finally:
WARNING in file e:\Daten\enid\host\htdocs\media\layout\141.php on line 227: mysql_num_rows(): supplied argument is not a valid MySQL result resource
Although it might seem obvious, I cannot stress it enough: Remove debug code and possible PHP errors from your production sites!

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

18:44:03 recorda warum ist mein code scheisse?
18:44:08 @absynth weil er unsicher ist
18:44:25 recorda rennt sowieso über https

Update:



21:49:49 recorda absynth: sicherheitsscripts ist doch voll umsonst wenn ich ne .htaccess mach kann
eh niemand rein in das script ausser dem admin der das cms benutzt

(aus #php.de)

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.