Attackers target unpatched PHP bug allowing malicious code execution (Updated)

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/business/news/2012/05/attackers-target-unpatched-php-bug-allowing-malicious-code-execution.ars

By Dan Goodin
ars technica
May 7, 2012

A huge number of websites around the world are endangered by an 
unpatched vulnerability in the PHP scripting language that attackers are 
already trying to exploit to remotely take control of underlying 
servers, security researchers warned.

The code-execution attacks threaten PHP websites only when they run in 
common gateway interface (CGI) mode, Darian Anthony Patrick, a Web 
application security consultant with Criticode, told Ars. Sites running 
PHP in FastCGI mode aren't affected. Nobody knows exactly how many 
websites are at risk, because sites also must meet several other 
criteria to be vulnerable, including not having a firewall that blocks 
certain ports. Nonetheless, sites running CGI-configured PHP on the 
Apache webserver are by default vulnerable to attacks that make it easy 
for hackers to run code that plants backdoors or downloads files 
containing sensitive user data.

Making matters worse, full details of the bug became public last week, 
giving attackers everything they need to locate and exploit vulnerable 
websites.

"The huge issue is the remote code execution, and that's really easy to 
figure out how to do," Patrick said. "If I as an attacker found it 
existed on a particular site, it would be exciting because I own 
everything. It's the kind of vulnerability where it's probably not super 
prevalent, but if it's there, it's not a minor thing."

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org