Scripting flaw leaves sites vulnerable

        By Robert Lemos
        Staff Writer, CNET News.com
        February 27, 2002, 5:40 PM PT

        A flaw in the common open-source scripting language PHP could allow attackers to
        crash or compromise a hefty fraction of the nine million servers running the
        open-source Web software Apache, as well as other Web servers.

        A member of the PHP engineering team warned Web developers of the software flaws in an
        advisory on Wednesday, but security experts believe that while some in the Internet
        underground have tools to exploit the flaw, few people have the resources.

        "It is not really easy to execute," said Johannes Ullrich, chief technology officer for the SANS
        (System Administration, Networking, and Security) Internet Storm Center, who obtained a
        program file that illustrates the vulnerability.

        A handful of holes appear in
        different versions of PHP, a
        scripting language that can be
        installed on many different
        Web servers--including
        Apache, Microsoft's Internet
        Information Server and
        iPlanet--allowing them to
        create Web pages on the fly
        from a database of information.

        PHP software originally stood
        for Personal Homepage, before
        the script evolved into a much
        more complex language. It's
        best known for letting
        developers create more-easily
        modified Web sites based
        entirely on a collection of
        open-source software known
        as LAMP, which includes the
        Linux operating system, the Apache Web server, the MySQL database, and PHP or Python
        scripting languages. Survey firm Netcraft estimates that nearly nine million Web servers, about
        64 percent, use Apache, and because of PHP's popularity, a large fraction of those sites are
        likely to have the software installed.

        The flaws affect mainly Web sites running on Linux and Solaris operating systems. However,
        one flaw also affects Microsoft operating systems running versions 3.0.10 to 3.0.18 of the PHP
        module, according to an advisory released by German security and Internet software company
        e-Matters.

        In the past, Microsoft's Internet Information Server has had a slew of problems with flaws in its
        components that allowed hackers and worms to break in. This time, the software appears to be
        less vulnerable to the PHP flaw.

        The flaws, a collection of heap overflows and problematic boundary checks, could crash
        vulnerable servers or allow attackers full access to them, said the advisory. Different flaws
        affect various versions of PHP, from 3.0.10 to 4.1.1.

        Ullrich and the PHP Web site recommend that Linux and Solaris Web sites using PHP
        upgrade their software to the latest version, 4.1.2, which solves the problem.

        The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon
        University also warned of the flaw Wednesday.

        Ullrich said the problems posed by the vulnerabilities are heightened because security experts
        are uncertain how widely knowledge of the flaws has spread.

        "There are these two camps. The disclosure people shout and say they have a new exploit,"
        Ullrich said, referring to "exploit code," or programs capable of taking advantage of the software
        flaws, "and the non-disclosure people hold on to it and use it to attack certain sites, and trade
        them in IRC chat rooms."

        Ullrich believes the latter group may have had exploit code for as long as a month.