SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating

• Advisory ID: SA-2007-023
• Project: PHP
• Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
• Date: 2007-October-17
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: unset() hash / index collision exploit using Drupal (CVE-2006-3017)

Description

The PHP unset() Hash / Index collision vulnerability causes the unset() statement to fail in certain circumstances.

Drupal uses the unset statement to eliminate all non-whitelisted global variables when the option "register_globals" is enabled for your PHP installation. As unset() can be caused to fail on vulnerable versions of PHP, arbitrary global variables can be created. This can easily lead to the execution of arbitrary PHP code with a specially crafted URL, similar to the one shown below, that causes the menu system to call the PHP evaluator with arbitrary code:

http://example.com?_menu[callbacks][1][callback]=drupal_eval&_menu[items...();

An exploit for this is widely circulating. The attack will not work when "register_globals" is set to off.

The issue is not limited to installations with "register_globals" set to on. unset() is used in other parts of the codebase where a bypass may result in unintended actions that may compromise your security.

Versions affected

• PHP 4 before version 4.4.3.
• PHP 5 before version 5.1.4.

Solution

Upgrade to the latest version of PHP:

• When using PHP 4 upgrade to PHP 4.4.7.
• When using PHP 5 upgrade to PHP 5.2.4.

Always apply the latest security patches to your server components.
You may need to review your server management strategy if you are still running a vulnerable PHP version.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.