Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm )

11 years ago by marius adrian popa — view source — reply

unread

Maybe we need an official stance about shellshock

I mainly use php-fpm and mod_php (I didn't used php under cgi for years)

http://jaxbot.me/articles/cases-where-bash-shellshock-is-safe-09-25-2014

http://www.reddit.com/r/programming/comments/2hc1w3/cve20146271_remote_code_execution_through_bash/ckrdqdb

PHP scripts executed with mod_php are not affected even if they spawn
subshells.

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

11 years ago by Andrea Faulds — view source — reply

unread

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m not sure there’s much we can reasonably do about it. Similarly to the Heartbleed bug, control is not in our hands here.

--
Andrea Faulds
http://ajf.me/

11 years ago by Peter Lind — view source — reply

unread

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m
not sure there’s much we can reasonably do about it. Similarly to the
Heartbleed bug, control is not in our hands here.

Informing people about the cases where they might be at risk when running
PHP doesn't seem a bad idea. Even though PHP itself is not at fault.

--
Andrea Faulds
http://ajf.me/

--

--
<hype>
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
</hype

11 years ago by Ferenc Kovacs — view source — reply

unread

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m
not sure there’s much we can reasonably do about it. Similarly to the
Heartbleed bug, control is not in our hands here.

Informing people about the cases where they might be at risk when running
PHP doesn't seem a bad idea. Even though PHP itself is not at fault.

I think we should only communicate when we have something definite to say,
and currently our official stance is that we aren't aware any problems
related to shellshock, but that doesn't mean that there is none, so I'm not
sure that we have something definite to say.
If we do end up finding something affecting significant amount of users
(even if that requires some misconfiguration or lousy fastcgi wrapper) we
could make an announcement.

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

11 years ago by Peter Lind — view source — reply

unread

On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind peter.e.lind@gmail.com
wrote:

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m
not sure there’s much we can reasonably do about it. Similarly to the
Heartbleed bug, control is not in our hands here.

Informing people about the cases where they might be at risk when
running
PHP doesn't seem a bad idea. Even though PHP itself is not at fault.

I think we should only communicate when we have something definite to say,
and currently our official stance is that we aren't aware any problems
related to shellshock, but that doesn't mean that there is none, so I'm not
sure that we have something definite to say.
If we do end up finding something affecting significant amount of users
(even if that requires some misconfiguration or lousy fastcgi wrapper) we
could make an announcement.

I think it's worth communicating what Redhat is:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

As a PHP dev I'd love to be able to find information like that on php.net,
not having to figure out from other sources if it pertains to me or not.

--
<hype>
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
</hype

11 years ago by Andrea Faulds — view source — reply

unread

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m not sure there’s much we can reasonably do about it. Similarly to the Heartbleed bug, control is not in our hands here.

So I did a little research:

On many systems, /bin/sh is a symlink for bash
popen() uses /bin/sh
PHP uses popen() for its backticks, shell_exec, exec, system, passthru and proc_open functions.

To cause the bash issue, you just need an environment variable which is set from user data.

This means that almost all PHP CGI apps which use any of the Program Execution Functions are vulnerable, and possibly many non-CGI apps if they do anything which sets the environment variables based on user data.

I think it might be worth us putting a statement on the homepage. PHP-level vulnerability it isn’t, but it is a serious one.

Andrea Faulds
http://ajf.me/