PHP XSS vulnerability

There is an XSS vulnerability in PHP that affects some
stable webapps.
Details can be found here:
ht
tp://www.php-security.org/MOPB/MOPB-08-2007.html

I know this affects phpWebSite since there is a phpinfo file
in setup.
This will be removed upstream. All other apps need checked
as well. I'm
running PHP Version 5.1.6-pl6-gentoo on my laptop right now
and the XSS
attack works quite well. Not sure who maintains anything
with regard to
webapps nowadays. I've come up with no response to several
inquiries.
Figured everyone on the list would like to secure their
servers in the
meanwhile.

Wendall

-- 
Only wimps use tape backup: _real_ men just upload their
important stuff
on ftp, and let the rest of the world mirror it ;)
        -- Linus Torvalds

On Mon, 05 Mar 2007, Wendall Cada wrote:

> There is an XSS vulnerability in PHP that affects some
stable webapps.
> Details can be found here:
> ht
tp://www.php-security.org/MOPB/MOPB-08-2007.html
> 


Hi,

there are a lot of more serious bugs affecting PHP and PHP
apps with
that MOPB.

See
https://bugs.
gentoo.org/buglist.cgi?bug_status=__open__&product=Gento
o+Security&content=php



> I know this affects phpWebSite since there is a phpinfo
file in setup.

The XSS is not permanent, and as said earlier, this is a
very weak
issue. I would nearly say it's a non-issue since that is the
expected
theorical behaviour of phpinfo().

Also, don't forget restrict the access to phpinfo() to a
trusted network
only.


> This will be removed upstream. All other apps need
checked as well. I'm
> running PHP Version 5.1.6-pl6-gentoo on my laptop right
now and the XSS
> attack works quite well. Not sure who maintains
anything with regard to
> webapps nowadays. I've come up with no response to
several inquiries.

The devs who are currently maintaining PHP are very active
due to that
month of PHP bugs so they have probably not received your
inquiries,
otherwise i'm pretty sure they would have pointed you to bug
169372.

> Figured everyone on the list would like to secure their
servers in the
> meanwhile.

Those who are concerned with security should follow our
GLSAs. Those who
are really worried about real-time security should follow
our bugzilla,
different information sources (full-disc, secunia...), or
the upstream
advisories.


Generally, if you are warned about a security weakness on a
stable
gentoo package, please go to bugs.gentoo.org, perform a
quick search,
and if the search returns no result, please open a bug in
the "Gentoo
Security" category. (but most of the time, there will
already be an
opened bug). In that case the bug already existed.


Cheers,
-- 
Raphael Marichez aka Falco

On Tue, 2007-03-20 at 13:34 +0100, Raphael Marichez wrote:
> 
> Those who are concerned with security should follow our
GLSAs. Those who
> are really worried about real-time security should
follow our bugzilla,
> different information sources (full-disc, secunia...),
or the upstream
> advisories.
> 
> 
> Generally, if you are warned about a security weakness
on a stable
> gentoo package, please go to bugs.gentoo.org, perform a
quick search,
> and if the search returns no result, please open a bug
in the "Gentoo
> Security" category. (but most of the time, there
will already be an
> opened bug). In that case the bug already existed.

I did report the issue. It was added to the month of PHP
bugs tracker.
However, I don't agree with your out of hand dismissal of
sending this
to the list. Webapps under Gentoo are difficult to maintain
at best.
People should know, and this is a very public security issue
that people
can quickly and easily address. I fail to see the harm in
mentioning it.
I certainly don't need any reinforcement on how to read
GLSAs or search
bugzilla, but thanks for the information.

Wendall