- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: PHP critical security flaw under Apache, OpenV...
Operating System - OpenVMS
1753888
Members
7432
Online
108809
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 07:57 AM
тАО07-15-2004 07:57 AM
PHP critical security flaw under Apache, OpenVMS affected?
PHP released V5 yesterday, but also released update 4.3.8 to fix a "major" security hole that is exploitable due to a problem with Apache being fooled into accepting overly long requests (if I read the announcement correctly). Link is http://security.e-matters.de/advisories/112004.html
I'm away from my systems for a few days; no access or time to do testing. Any info on impact to OpenVMS with CSWS/PHP would be appreciated. Also if there is a problem on VMS, any word on updates/patches/corrections would also be appreciated. Although we're not running anything on PHP publically yet, it won't be long...
Thanks
Rich Jordan
I'm away from my systems for a few days; no access or time to do testing. Any info on impact to OpenVMS with CSWS/PHP would be appreciated. Also if there is a problem on VMS, any word on updates/patches/corrections would also be appreciated. Although we're not running anything on PHP publically yet, it won't be long...
Thanks
Rich Jordan
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 02:10 PM
тАО07-15-2004 02:10 PM
Re: PHP critical security flaw under Apache, OpenVMS affected?
Rich,
A tricky question to answer properly in a forum like this. Obviously I can't give a definitive answer about this specific issue, I can make a few generic observations about this kind of issue on OpenVMS Alpha.
1) Buffer overflow exploits that attempt to force the host to execute arbitrary code must be processor and operating system specific. OpenVMS Alpha, being a RISC architecture, is harder to write for than other platforms, and its relative rarity makes the extra effort less worthwhile for exploiters. "Security by Obscurity is no Security" is certainly true in an absolute sense, but it doesn't hurt!
2) On OpenVMS Alpha neither the stack nor data pages are executable, so execution of arbitrary code exploits are particularly difficult to achieve.
3) At BEST (or is that WORST?), even if you got around the considerable difficulty of exploiting a buffer overflow, any resulting code would execute only in the context of the web server process, and therefore should not have access to any elevated privileges. You might break the process, but it's extremely unlikely you could do any real damage to the system as a whole.
So, that's not to say that OpenVMS is completely immune to exploitation of this kind of vulnerability, but it comes very close! "Cool and Unhackable" :-)
More specific information about these vulnerabilities can be found at:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
Solutions for both cndidates are available.
A tricky question to answer properly in a forum like this. Obviously I can't give a definitive answer about this specific issue, I can make a few generic observations about this kind of issue on OpenVMS Alpha.
1) Buffer overflow exploits that attempt to force the host to execute arbitrary code must be processor and operating system specific. OpenVMS Alpha, being a RISC architecture, is harder to write for than other platforms, and its relative rarity makes the extra effort less worthwhile for exploiters. "Security by Obscurity is no Security" is certainly true in an absolute sense, but it doesn't hurt!
2) On OpenVMS Alpha neither the stack nor data pages are executable, so execution of arbitrary code exploits are particularly difficult to achieve.
3) At BEST (or is that WORST?), even if you got around the considerable difficulty of exploiting a buffer overflow, any resulting code would execute only in the context of the web server process, and therefore should not have access to any elevated privileges. You might break the process, but it's extremely unlikely you could do any real damage to the system as a whole.
So, that's not to say that OpenVMS is completely immune to exploitation of this kind of vulnerability, but it comes very close! "Cool and Unhackable" :-)
More specific information about these vulnerabilities can be found at:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
Solutions for both cndidates are available.
A crucible of informative mistakes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 02:12 AM
тАО07-16-2004 02:12 AM
Re: PHP critical security flaw under Apache, OpenVMS affected?
Thanks for the info. The PHP error notifications I've seen do not make it clear that the exploit is architecture specific, though that is of course the most likely case. I'm more worried about the possibility of being able to inject arbitrary PHP code into the execution stream. It would make sense that a DOS is more likely in a VMS environment than a compromise, but until we're sure we have to maintain significantly higher levels of monitoring on the sites we have running.
Since 4.3.8 is now the only recommended version of pre-V5 PHP, I'm hoping the good VMS folks at HP are going to give us an update soon. Porting the fix to the problem in Apache/CSWS would be nice too.
Since 4.3.8 is now the only recommended version of pre-V5 PHP, I'm hoping the good VMS folks at HP are going to give us an update soon. Porting the fix to the problem in Apache/CSWS would be nice too.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP