[pmwiki-users] PmWiki security vulnerability (pmwiki-2.1.21 released)

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 09:04:44 CDT 2006 

This morning I awoke to news of a security vulnerability in PmWiki 
that apparently is being exploited by some botnet code that is running 
"in the wild".  (Source: http://isc.sans.org/diary.php?storyid=1672 [1])

The source of the vulnerability is a deep bug in the PHP/Zend engine
that causes the unset() operation to not work properly [2] [3], thus 
preventing PmWiki from properly sanitizing variables set by 
register_globals.

Thus, I've just released pmwiki-2.1.21, which closes off this particular
vulnerability.  It's available from the usual locations:

    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.tgz
    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.zip
    http://www.sourceforge.net/projects/pmwiki
    svn://pmwiki.org/pmwiki/tags/latest

Of course, I recommend upgrading to the latest version at the earliest
opportunity.

For those sites that are unable or unwilling to upgrade at this time,
the vulnerability can be closed via one of these other mechanisms:

1.  Turn off 'register_globals'.   This can be done by changing the
    php.ini file to have

        register_globals Off

    However, many sites don't have access to the php.ini file.  On
    some sites it's also possible to disable register_globals via
    a .htaccess file in the same directory as pmwiki.php:

        php_flag register_globals Off

2.  Patch the pmwiki.php code directly.  The vulnerability can be
    closed via a small change to pmwiki.php.  Near the beginning of
    the pmwiki.php code, find the lines that read

    if (ini_get('register_globals'))
      foreach($_REQUEST as $k=>$v) {
        if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', $k)) exit();
        unset(${$k});
      }

    and change them to read

    if (ini_get('register_globals'))
      foreach($_REQUEST as $k=>$v) {
        if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', $k)) exit();
        ${$k}=''; unset(${$k});
      }


Shortly I'll be publishing a tool on the pmwiki.org site that will
allow site administrators to enter the url of their pmwiki site and
it will report back as to whether the site is vulnerable or not
vulnerable to this particular exploit.

Apologies for any inconvenience.  Questions and assistance are available
as always through the pmwiki-users mailing list, or contact me directly
at pmichaud at pobox.com .

Thanks!

Pm


References:
1.  http://isc.sans.org/diary.php?storyid=1672
2.  http://securitytracker.com/alerts/2006/Aug/1016649.html
3.  http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

More information about the pmwiki-users mailing list