Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Toni Mueller]

Hello Jacob,

On Tue, 02.05.2006 at 22:39:54 -0700, Jacob Meuser [EMAIL PROTECTED] wrote:
 have you tested Robert's php update and given him feedback?  if not,
 you really have no place to complain.

this is not quite correct. He has posted an update to PHP5 which
doesn't solve any of the problems in PHP4 (obviously).

FWIW, I've tried to get info about that I *think* well before 3.9
freeze, but didn't get any useful responses on ports@, only sometime
after freeze, I've got some explanation in private mail from someone
who also happens to be on that list.


Best,
--Toni++

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Jacob Meuser]

On Tue, May 02, 2006 at 10:05:28PM -0700, paul dansing wrote:
 Is there some reason this issue is being ignored?  What, you people
 need to see an exploit before you will even LOOK at it and answer
 whether it is vuln?

sorry, but wouldn't it make more sense to ask on a php list whether
those versions of php have the vulnerabilities?  maybe they are just
on the php 5.1.x line?  really, the php folks are more to blame for
the lack of details, IMO.

have you tested Robert's php update and given him feedback?  if not,
you really have no place to complain.

and if you are not satisfied with this, then install php-5.1.3
on your own and be done with it.

-- 
[EMAIL PROTECTED]

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Kian Mohageri]

Is somebody stopping you from installing via source?

Kian

paul dansing wrote:

Is there some reason this issue is being ignored?  What, you people
need to see an exploit before you will even LOOK at it and answer
whether it is vuln?



Can someone please give a straight answer about these PHP security
holes?  OpenBSD 3.9 released yesterday had packages supporting:
php 4.4.1p0
php 5.0.5p0
are either of these vulnerable? if so, is someone going to release
updated packages (not just ports)?



the php 5.1.3 release:



The security issues resolved include the following:



 * Disallow certain characters in session names.
 * Fixed a buffer overflow inside the wordwrap() function.
 * Prevent jumps to parent directory via the 2nd parameter of the tempnam() 
function.
 * Enforce safe_mode for the source parameter of the copy() function.
 * Fixed cross-site scripting inside the phpinfo() function.
 * Fixed offset/length parameter validation inside the substr_compare() 
function.
 * Fixed a heap corruption inside the session extension.
 * Fixed a bug that would allow variable to survive unset().



thanks



Monday, May 1, 2006, 7:18:50 AM, you wrote:



Hi.



I haven't recieved a single test report, but I still get
letters about asking for an update. How's that?
This tarball also includes mysqli, fastcgi and hardened php support:
http://gi.unideb.hu/~robert/php.tar.gz



On (28/04/06 01:59), Robert Nagy wrote:

Hi.

Finally after fighting with pear I've managed to create a working update
for the php5 port.
The PHP guys have changed the installation method of pear to use some crappy
PHP_Archive. With this move they broke the installation of pear on serveral
linux distros (e.g. Frugalware), OpenDarwin and on OpenBSD of course.
Any other crappy package managements where they install files directly to 
${LOCALBASE}





--
Kian Mohageri
ResTek, Western Washington University
[EMAIL PROTECTED]

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Marc Espie]

On Tue, May 02, 2006 at 10:05:28PM -0700, paul dansing wrote:
 Is there some reason this issue is being ignored?  What, you people
 need to see an exploit before you will even LOOK at it and answer
 whether it is vuln?

I'm not the maintainer of php itself, but still I have an opinion.

I don't like php, from a security point of view.
It has an AWFUL track record. Some people will tell you it has
seen lots of vulnerabilities because it's in heavy use. Well,
I've had a look at the code, it has seen lots of vulnerabilities
because it was never designed with security in mind.

That said, we provide php because some people may want it. I personally
would NOT want to run that on any kind of web server (in fact, I use
perl's HTML::Mason as the same kind of framework).

I can give you a simple answer though.

Yes, php* is vulnerable. 

Doesn't matter whether you're talking about this vulnerability, or another.
There will be another one lurking around the corner.

Fixing vulnerabilities in the php code is like sticking a finger in a dike.
Great legendary stuff, doesn't really work in reality.

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Damien Miller]

On Tue, 2 May 2006, paul dansing wrote:

 Is there some reason this issue is being ignored?  What, you people
 need to see an exploit before you will even LOOK at it and answer
 whether it is vuln?

It isn't our job to tell you what software is vulnerable. But maybe
you should read your own email, especially it includes this quote 
from the OpenBSD developer who is trying to update our PHP version:

  I haven't recieved a single test report, but I still get
  letters about asking for an update. How's that?
  This tarball also includes mysqli, fastcgi and hardened php support:
  http://gi.unideb.hu/~robert/php.tar.gz

So, if you really case then stop whinging and start testing!

-d

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[paul dansing]

php is required in order to use many of the more mature web
applications such as forum software.  i run apache chroot, use
modsecurity, and use ipf to limit the www user.  a tight systrace
policy might help but not very much incremental gain.  everyone says
php is a security breach waiting to happen, so what else can i do if i
want to use these large apps without rewriting them from scratch in
another language?

also, i wish openbsd would release updated packages instead of just
the patches.  i would do it myself but who would trust a binary some
random guy posts? openbsd maintainers have to step up and do this. why
aren't you guys releasing package updates anyway?  when you post a
source patch on your errata page, take the few extra minutes to make a
updated package and post that as well please! :)

thanks

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Stuart Henderson]

On 2006/05/03 01:08, paul dansing wrote:
 also, i wish openbsd would release updated packages instead of just
 the patches.

This generally does happen for security updates, look at e.g. openvpn 
in a 3.8 packages mirror (not one but two updates...they're not there
for 3.9 yet, but port updates only went into OPENBSD_3_9 recently, so
you might find the new packages built from these arrive soon).

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Nico Meijer]

Hi Paul,

 everyone says
 php is a security breach waiting to happen, so what else can i do if i
 want to use these large apps without rewriting them from scratch in
 another language?

Stop complaining and actually do something about it. Playing victim is
not going to get you anywhere. But let's not get sidetracked, shall we?

 openbsd maintainers have to step up and do this. why
 aren't you guys releasing package updates anyway?

No offense, but someone might take offense at your tone. Just so you
know.

 when you post a
 source patch on your errata page, take the few extra minutes to make a
 updated package and post that as well please! :)

http://www.openbsd.org/pkg-stable.html

HTH... Nico

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Robert Nagy]

PHP will be updated in 3.9 and 3.8. But first
we need to take the port in HEAD to 5.1.*.

I alrady sent updates to mailing lists but Ido not
see any test report from you. 

If we update a port in a  stable branch we do
build the updated packages. Maybe you should
rad some documentation.

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Rogier Krieger]

On 5/3/06, paul dansing [EMAIL PROTECTED] wrote:

php is required in order to use many of the more mature web
applications such as forum software.


It's open for debate whether maturity also extends to the platform
chosen for an application. Fortunately, everyone gets to decide that
for themselves.



everyone says php is a security breach waiting to happen, so what else can i do 
if i
want to use these large apps without rewriting them from scratch


You suspend the service or continue it, waiting for said security
breach. Alternatively, you could continue along bolting things down or
auditing code. Or put in the testing effort as requested by
developers. Try what works best for you.



when you post a source patch on your errata page, take the few extra
minutes to make a updated package and post that as well please! :)


Perhaps developers see a better use for those few extra minutes. IIRC,
updated packages (with increasing patch level numbers) also end up on
the distribution sites. If I'm wrong on this, feel free to correct me.

If such a timeframe does not cover your needs, how about setting up
your own build host? It is rather easy to generate release filesets
and packages from the -stable branch. At the expense of some
resources, you solve your problem. It works for me, that is.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Marc Espie]

On Wed, May 03, 2006 at 01:08:50AM -0700, paul dansing wrote:
 also, i wish openbsd would release updated packages instead of just
 the patches.  i would do it myself but who would trust a binary some
 random guy posts? openbsd maintainers have to step up and do this. why
 aren't you guys releasing package updates anyway?  when you post a
 source patch on your errata page, take the few extra minutes to make a
 updated package and post that as well please! :)

You don't know what you're talking about.

Releasing updated packages means having an extra machine that would run
only stable, and building stuff on that as well.

This is not a few minutes more, more like three or four hours of definitely
not fun work.

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Stephen Takacs]

paul dansing [EMAIL PROTECTED] wrote:
 php is required in order to use many of the more mature web
 applications such as forum software.  i run apache chroot, use
 modsecurity, and use ipf to limit the www user.  a tight systrace
 policy might help but not very much incremental gain.  everyone says
 php is a security breach waiting to happen, so what else can i do if i
 want to use these large apps without rewriting them from scratch in
 another language?

There is in fact mature web software out there that's not written in
PHP.  Just as an example:
http://www.gossamer-threads.com/
You can probably find free (no $$$) stuff also if you poke around a bit.

The real problem is that PHP (and MySQL too) is ubiquitous, whereas
you'll be hard-pressed to find web hosts who offer accounts with
mod_perl, fastcgi, or postgresql.  They exist, but they're just not as
common, and they tend to charge more than $4.99/mo.  Then again, it
sounds like you're running your own OpenBSD server, so this probably
isn't an issue...

-- 
Stephen Takacs   [EMAIL PROTECTED]   http://perlguru.net/
4149 FD56 D078 C988 9027  1EB4 04CC F80F 72CB 09DA

Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0

[Adam]

On Wed, 3 May 2006 01:08:50 -0700 paul dansing [EMAIL PROTECTED] wrote:

 php is required in order to use many of the more mature web
 applications such as forum software.  i run apache chroot, use
 modsecurity, and use ipf to limit the www user.  a tight systrace
 policy might help but not very much incremental gain.  everyone says
 php is a security breach waiting to happen, so what else can i do if i
 want to use these large apps without rewriting them from scratch in
 another language?

There is plenty of stuff written in better languages.  Not only is PHP
a horrible nightmare, but 90% of the code written in it is even worse.
Are you actually looking at the code you are using, or are you just
installing crap like phpBB because everyone else does?

Adam