[pmwiki-announce] PmWiki security vulnerability (pmwiki-2.1.21 released)
Patrick R. Michaud
pmichaud at pobox.com
Tue Sep 5 09:04:44 CDT 2006
This morning I awoke to news of a security vulnerability in PmWiki
that apparently is being exploited by some botnet code that is running
"in the wild". (Source: http://isc.sans.org/diary.php?storyid=1672 [1])
The source of the vulnerability is a deep bug in the PHP/Zend engine
that causes the unset() operation to not work properly [2] [3], thus
preventing PmWiki from properly sanitizing variables set by
register_globals.
Thus, I've just released pmwiki-2.1.21, which closes off this particular
vulnerability. It's available from the usual locations:
http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.tgz
http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.zip
http://www.sourceforge.net/projects/pmwiki
svn://pmwiki.org/pmwiki/tags/latest
Of course, I recommend upgrading to the latest version at the earliest
opportunity.
For those sites that are unable or unwilling to upgrade at this time,
the vulnerability can be closed via one of these other mechanisms:
1. Turn off 'register_globals'. This can be done by changing the
php.ini file to have
register_globals Off
However, many sites don't have access to the php.ini file. On
some sites it's also possible to disable register_globals via
a .htaccess file in the same directory as pmwiki.php:
php_flag register_globals Off
2. Patch the pmwiki.php code directly. The vulnerability can be
closed via a small change to pmwiki.php. Near the beginning of
the pmwiki.php code, find the lines that read
if (ini_get('register_globals'))
foreach($_REQUEST as $k=>$v) {
if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', $k)) exit();
unset(${$k});
}
and change them to read
if (ini_get('register_globals'))
foreach($_REQUEST as $k=>$v) {
if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', $k)) exit();
${$k}=''; unset(${$k});
}
Shortly I'll be publishing a tool on the pmwiki.org site that will
allow site administrators to enter the url of their pmwiki site and
it will report back as to whether the site is vulnerable or not
vulnerable to this particular exploit.
Apologies for any inconvenience. Questions and assistance are available
as always through the pmwiki-users mailing list, or contact me directly
at pmichaud at pobox.com .
Thanks!
Pm
References:
1. http://isc.sans.org/diary.php?storyid=1672
2. http://securitytracker.com/alerts/2006/Aug/1016649.html
3. http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
More information about the pmwiki-announce
mailing list