WebFaction
Community site: login faq

Several friends make me aware of the Eindbazen PHP-CGI vulnerability. Is webfaction's webserver configuration resistant to the above risk?

Better asked, are my sites safe?

source1: eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ source2: http://ompldr.org/vZGxxaQ

asked 03 May '12, 05:30

wallypally
1134
accept rate: 0%


My simple tests say: no your sites are not safe unless you manually setup PHP as a fast-cgi or run your own web server instance or similar.

You can easily test just add ?-s to the end of any URL that is served by PHP form webfaction. If I do that, I see the full source...

[edit] Although it seems only scripts accessible by apache are directly vulnerable. If you followed best-practices and kept any 'config' scripts with sensitive info outside of webroot or protected by .htaccess then the risks are somewhat limited. But basically, and PHP file that apache can serve directly can now be read in plain code.

permanent link

answered 03 May '12, 10:12

banks
11
accept rate: 0%

edited 03 May '12, 10:17

Same here @banks. When executing the ?-s behind one of mine php scripts and voila the source is there (in color).

@webfaction, what are you gonna do to fix this?

(03 May '12, 10:18) wallypally

Would be good to see this patched some way ASAP although @wallypally, bear in mind that this is a 0-day PHP bug that got leaked by their security team and published publically before an official fix is available.

I'm sure webfaction can't just go and disable all PHP sites or applying untested, unofficial apache/PHP patches to all servers right away.

FWIW, you can also mitigate somewhat depending on your app by using .htaccess rewrite rules to deny ?- requests from hitting PHP. For many this may be a pretty complex and error-prone thing to set up but if you only have a single inde.php exposed to public(like many frameworks) then it should be simple enough.

(03 May '12, 10:24) banks

Hi everyone,

We're aware of this issue, and we're working on a patch to fix it. It will be tested today and if tests go well, we'll deploy it everywhere tomorrow.

In the meantime, if you want to make sure your sites are secure, I'd suggest to switch to fcgi, as this vulnerability applies only to php-cgi. To do this, you can add the following to .htaccess:

<FilesMatch \.php$>
    SetHandler php54-fcgi
    # or SetHandler php53-fcgi for php 5.3 apps
    # or SetHandler php52-fcgi for php 5.2 apps (including 
    #      control panel installs of WordPress, Joomla, Drupal, etc)
</FilesMatch>
permanent link

answered 03 May '12, 10:24

todork
1.2k4
accept rate: 34%

edited 03 May '12, 16:05

seanf
12.2k41836

Thanks @todork. Good to see you are quick off the mark :)

(03 May '12, 10:27) banks

Thanks @todork for your rapid and open response. Thats a point why i like Webfaction.

Btw. which PHP versions are vulnerable? All of 5.2, 5.3 and 5.4?

(03 May '12, 10:31) wallypally

Hi again,

Unfortunately, all PHP versions are vulnerable to this exploit.

(03 May '12, 10:33) todork

Thanks for your input @seanf

(03 May '12, 17:52) wallypally

Oke patches are there.

http://www.php.net/archive/2012.php#id2012-05-03-1

@webfaction, PHP 5.2. isn't tracked anymore. Are you guys gonna backport the above patch?

(03 May '12, 18:04) wallypally

Yes, in fact we're rolling out our patch to all servers at this time.

(03 May '12, 18:11) seanf

Whoo nice. Great job. thanks Sean

(03 May '12, 20:17) wallypally
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×262
×31
×3

question asked: 03 May '12, 05:30

question was seen: 10,946 times

last updated: 03 May '12, 20:17

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM