Forum OpenACS Q&A: Is OpenACS vulnerable to PHP like cracks?

Is either OpenACS 3.x or 4.x (or AOLServer) vulnerable to cracker attacks like the recently described:

Crack ers Exploit PHP Vulnerabilities

http://www.eweek.com/article/0,3658,s=1884&a=23361,00.asp

    "Security researchers have found seven separate vulnerabilities in several versions of the widely used PHP scripting language and warn that crackers are circulating exploit code for at least one of the flaws.

    The problem lies in the way that PHP handles multipart-data POST requests, through which users can upload files or other content to a Web server. Specifically, there are several flaws in the php_mime_split function that an attacker could use to run arbitrary code on a vulnerable server,..."

-Bob

Collapse
Posted by Don Baccus on
Yet another buffer overflow, eh?

I don't think OpenACS per se is vulnerable to an exploit of this sort.  AOLserver puts the data into a temp file, which is then either stuffed into the db or copied to another file.

So ... the pertinent question is whether or not AOLserver does this in a safe manner, and whether or not the Tcl interpreter has any bugs that might be exposed when shoving large files around.

That's a general answer.

A specific answer is most likely "no" because the exploit, as described in the piece you reference, has to do with specific buffer overflows in specific implementations of PHP on specific operating systems (Solaris/Linux).

So code designed to exploit this particular bug in PHP is unlikely to do any harm on other platforms.

Whether or not the general approach might serve as a basis for designing an exploit for "our world" is another question, dependent on the things I mentioned earlier.

Collapse
Posted by Jon Griffin on
I don't think it is exploitable, but I have found some suspect uses of mktmp which potentially could create other exploits.

This auditing I am doing is ongoing and I will look into it more next week when I return home.