HPE Community
Operating System - OpenVMS
1753888 Members
7432 Online
108809 Solutions
New Discussion юеВ

Re: PHP critical security flaw under Apache, OpenVMS affected?

 
Richard Jordan
Regular Advisor

тАО07-15-2004 07:57 AM

тАО07-15-2004 07:57 AM

PHP critical security flaw under Apache, OpenVMS affected?

PHP released V5 yesterday, but also released update 4.3.8 to fix a "major" security hole that is exploitable due to a problem with Apache being fooled into accepting overly long requests (if I read the announcement correctly). Link is http://security.e-matters.de/advisories/112004.html

I'm away from my systems for a few days; no access or time to do testing. Any info on impact to OpenVMS with CSWS/PHP would be appreciated. Also if there is a problem on VMS, any word on updates/patches/corrections would also be appreciated. Although we're not running anything on PHP publically yet, it won't be long...

Thanks

Rich Jordan
0 Kudos
Reply
2 REPLIES 2
John Gillings
Honored Contributor

тАО07-15-2004 02:10 PM

тАО07-15-2004 02:10 PM

Re: PHP critical security flaw under Apache, OpenVMS affected?

Rich,

A tricky question to answer properly in a forum like this. Obviously I can't give a definitive answer about this specific issue, I can make a few generic observations about this kind of issue on OpenVMS Alpha.

1) Buffer overflow exploits that attempt to force the host to execute arbitrary code must be processor and operating system specific. OpenVMS Alpha, being a RISC architecture, is harder to write for than other platforms, and its relative rarity makes the extra effort less worthwhile for exploiters. "Security by Obscurity is no Security" is certainly true in an absolute sense, but it doesn't hurt!

2) On OpenVMS Alpha neither the stack nor data pages are executable, so execution of arbitrary code exploits are particularly difficult to achieve.

3) At BEST (or is that WORST?), even if you got around the considerable difficulty of exploiting a buffer overflow, any resulting code would execute only in the context of the web server process, and therefore should not have access to any elevated privileges. You might break the process, but it's extremely unlikely you could do any real damage to the system as a whole.

So, that's not to say that OpenVMS is completely immune to exploitation of this kind of vulnerability, but it comes very close! "Cool and Unhackable" :-)

More specific information about these vulnerabilities can be found at:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
Solutions for both cndidates are available.
A crucible of informative mistakes
0 Kudos
Reply
Richard Jordan
Regular Advisor

тАО07-16-2004 02:12 AM

тАО07-16-2004 02:12 AM

Re: PHP critical security flaw under Apache, OpenVMS affected?

Thanks for the info. The PHP error notifications I've seen do not make it clear that the exploit is architecture specific, though that is of course the most likely case. I'm more worried about the possibility of being able to inject arbitrary PHP code into the execution stream. It would make sense that a DOS is more likely in a VMS environment than a compromise, but until we're sure we have to maintain significantly higher levels of monitoring on the sites we have running.

Since 4.3.8 is now the only recommended version of pre-V5 PHP, I'm hoping the good VMS folks at HP are going to give us an update soon. Porting the fix to the problem in Apache/CSWS would be nice too.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.