[pmwiki-users] PmWiki security vulnerability (pmwiki-2.1.21 released)

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 12:49:49 CDT 2006 

On Tue, Sep 05, 2006 at 01:53:38PM -0300, Tony Abou-Assaleh wrote:
> Pm,
> 
> Could you post a diff of what changed? Is it only the line you mentioned
> below in pmwiki.php? Thanks.

The diffs also appear in the distribution directory:

    http://www.pmichaud.com/pub/pmwiki/

        pmwiki-2.1.21.patch.gz    (diff from 2.1.20 to 2.1.21)
        pmwiki-2.1.22.patch.gz    (diff from 2.1.21 to 2.1.22)

Pm



> On Tue, 5 Sep 2006, Patrick R. Michaud wrote:
> 
> > This morning I awoke to news of a security vulnerability in PmWiki
> > that apparently is being exploited by some botnet code that is running
> > "in the wild".  (Source: http://isc.sans.org/diary.php?storyid=1672 [1])
> >
> > The source of the vulnerability is a deep bug in the PHP/Zend engine
> > that causes the unset() operation to not work properly [2] [3], thus
> > preventing PmWiki from properly sanitizing variables set by
> > register_globals.
> >
> > Thus, I've just released pmwiki-2.1.21, which closes off this particular
> > vulnerability.  It's available from the usual locations:
> >
> >     http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.tgz
> >     http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.zip
> >     http://www.sourceforge.net/projects/pmwiki
> >     svn://pmwiki.org/pmwiki/tags/latest
> >
> > Of course, I recommend upgrading to the latest version at the earliest
> > opportunity.
> >
> > For those sites that are unable or unwilling to upgrade at this time,
> > the vulnerability can be closed via one of these other mechanisms:
> >
> > 1.  Turn off 'register_globals'.   This can be done by changing the
> >     php.ini file to have
> >
> >         register_globals Off
> >
> >     However, many sites don't have access to the php.ini file.  On
> >     some sites it's also possible to disable register_globals via
> >     a .htaccess file in the same directory as pmwiki.php:
> >
> >         php_flag register_globals Off
> >
> > 2.  Patch the pmwiki.php code directly.  The vulnerability can be
> >     closed via a small change to pmwiki.php.  Near the beginning of
> >     the pmwiki.php code, find the lines that read
> >
> >     if (ini_get('register_globals'))
> >       foreach($_REQUEST as $k=>$v) {
> >         if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', $k)) exit();
> >         unset(${$k});
> >       }
> >
> >     and change them to read
> >
> >     if (ini_get('register_globals'))
> >       foreach($_REQUEST as $k=>$v) {
> >         if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', $k)) exit();
> >         ${$k}=''; unset(${$k});
> >       }
> >
> >
> > Shortly I'll be publishing a tool on the pmwiki.org site that will
> > allow site administrators to enter the url of their pmwiki site and
> > it will report back as to whether the site is vulnerable or not
> > vulnerable to this particular exploit.
> >
> > Apologies for any inconvenience.  Questions and assistance are available
> > as always through the pmwiki-users mailing list, or contact me directly
> > at pmichaud at pobox.com .
> >
> > Thanks!
> >
> > Pm
> >
> >
> > References:
> > 1.  http://isc.sans.org/diary.php?storyid=1672
> > 2.  http://securitytracker.com/alerts/2006/Aug/1016649.html
> > 3.  http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
> >
> > _______________________________________________
> > pmwiki-announce mailing list
> > pmwiki-announce at pmichaud.com
> > http://host.pmichaud.com/mailman/listinfo/pmwiki-announce
> >
>

More information about the pmwiki-users mailing list