On Tuesday 28 March 2006 15:55, Tõnu Samuel wrote: > Hi everybody! > > I want to tell that pretty nasty bug was discovered in PHP (all tested > versions were vulnerable). I do not want to disclose much details as it may > hurt many websites. I expect PHP team to make patch first. > > There is simple way to protect yourself against this bug if you put some > code in beginning of every source code looking for weird ASCII bytes before > any other code. Make some kind of "white-list" for characters you allow and > deny everything else.
I got lot of mails about topic, so I try to make FAQ here. Q: Is it remote or local exploit? A: Both. Works 100% for local and less for remote. Q: Looking weird ascii WHERE? A: in $_GET, $_POST, $_COOKIE and $_REQUEST. This should help in most cases. Q: Why did you posted so few information? A: More seems to be dangerous. I hope this case it is possible to fight problem before real 0day is coming out. Q: Which exact PHP versions are affected? A: I believe ALL of them. I am running 5.0.4 coming with SuSE 10 and all updates but I received reports for other distributions and PHP 4 and 5 both are vulnerable. One more thing - many people mail me from public webmail accounts telling "I am the admin of big bank, can you tell details?". Sorry, I do not know if you are real or not. Tõnu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
