[pmwiki-users-de] PmWiki im Visier von Angreifern

Nils Knappmeier nk at knappi.org
Wed Sep 6 06:42:49 CDT 2006


Norbert Schulze wrote:
> Hallo,
>
> laut der Meldung im Heise Ticker: http://www.heise.de/newsticker/meldung/77711
>
> gibt es eine gravierende Sicherheitslücke in PMWiki. Mein Provider kann leider die Notlösung mit dem deaktieren von register_globals nicht durchführen, da dadurch einige andere Webauftritte nicht mehr funktionieren. Gibt es eine weitere Abhilfe? Ansonsten werde ich unsere PMWikiseiten lieber komplett vom Netz nehmen. :-/
>
> Betroffene Seiten:
> www.lug.wolfsburg.de
> www.mit-linux.de
>   
Die neue Version, PmWiki 2.1.21 löst das Problem. Falls ein Update im
Moment inpraktikabel ist, reicht es auch, in der Datei pmwiki.php die
Zeilen:

  if (ini_get('register_globals'))
       foreach($_REQUEST as $k=>$v) {
         if 
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', 
$k)) exit();
         unset(${$k});
       }


durch



  if (ini_get('register_globals'))
    foreach($_REQUEST as $k=>$v) {
      if 
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', 
$k)) exit();
      ${$k}=''; unset(${$k});
  }


zu ersetzen. Ich hab die Ankündigung von Patrick mal angehängt.

Nils


----<snip>----

This morning I awoke to news of a security vulnerability in PmWiki
that apparently is being exploited by some botnet code that is running
"in the wild".  (Source: http://isc.sans.org/diary.php?storyid=1672 [1])

The source of the vulnerability is a deep bug in the PHP/Zend engine
that causes the unset() operation to not work properly [2] [3], thus
preventing PmWiki from properly sanitizing variables set by
register_globals.

Thus, I've just released pmwiki-2.1.21, which closes off this particular
vulnerability.  It's available from the usual locations:

    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.tgz
    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.21.zip
    http://www.sourceforge.net/projects/pmwiki
    svn://pmwiki.org/pmwiki/tags/latest

Of course, I recommend upgrading to the latest version at the earliest
opportunity.

For those sites that are unable or unwilling to upgrade at this time,
the vulnerability can be closed via one of these other mechanisms:

1.  Turn off 'register_globals'.   This can be done by changing the
    php.ini file to have

        register_globals Off

    However, many sites don't have access to the php.ini file.  On
    some sites it's also possible to disable register_globals via
    a .htaccess file in the same directory as pmwiki.php:

        php_flag register_globals Off

2.  Patch the pmwiki.php code directly.  The vulnerability can be
    closed via a small change to pmwiki.php.  Near the beginning of
    the pmwiki.php code, find the lines that read

    if (ini_get('register_globals'))
      foreach($_REQUEST as $k=>$v) {
        if 
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', 
$k)) exit();
        unset(${$k});
      }

    and change them to read

    if (ini_get('register_globals'))
      foreach($_REQUEST as $k=>$v) {
        if 
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', 
$k)) exit();
        ${$k}=''; unset(${$k});
      }


Shortly I'll be publishing a tool on the pmwiki.org site that will
allow site administrators to enter the url of their pmwiki site and
it will report back as to whether the site is vulnerable or not
vulnerable to this particular exploit.

Apologies for any inconvenience.  Questions and assistance are available
as always through the pmwiki-users mailing list, or contact me directly
at pmichaud at pobox.com .

Thanks!

Pm


References:
1.  http://isc.sans.org/diary.php?storyid=1672
2.  http://securitytracker.com/alerts/2006/Aug/1016649.html
3. 
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

_______________________________________________
pmwiki-users mailing list
pmwiki-users at pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-users

----</snip>-------

>
> Gruß
> Norbert
>   





More information about the pmwiki-users-de mailing list