Scripting flaw ripe for Web worm

As previously reported by CNET News.com, the flaws occur in server modules using the PHP Web scripting language. PHP originally stood for Personal Homepage, but as the language's functionality increased, the name was changed to PHP: Hypertext Preprocessor to better reflect its general usage. The language is widely used among sites built on open-source software and allows such sites to create Web pages on the fly.

David Dittrich, senior security engineer at the University of Washington, stressed that while the technical nature of the flaws would make creating a worm more difficult, the Net is rife with groups that have the wherewithal and knowledge to pull off the job.

"It's just a matter of time before someone does a worm," Dittrich said, adding that systems administrators who have Web sites running a flawed version of PHP should patch their version as soon as possible.

Last Wednesday, a member of the PHP Group posted details of a handful of flaws that could be exploited to take over Web servers that use version 3.0.10 to version 4.1.1 of the PHP software. By gaining control of the Web server software, attackers could deface any sites hosted by that server or take advantage of their position to issue system commands to the server.

Two days later, U.K.-based Internet research group Netcraft released its monthly survey of Web sites, indicating that nearly 8.4 million sites were hosted by servers that use a vulnerable version of PHP. One million of those sites are vulnerable to attack, the survey said.

Based on that data alone, the PHP flaws could be as dangerous as the indexing server ISAPI filter flaw in Microsoft's Internet Information Server that made the Code Red worm possible, said Marc Maiffret, chief hacking officer for network protection company eEye Digital Security.

"This could easily turn out to be a Code Red or bigger if someone is so inclined," Maiffret said. eEye initially identified the indexing server flaw in April and notified Microsoft. When the software giant announced the flaw in June 2000, Netcraft's survey indicated that nearly 6 million sites on the Internet could be vulnerable. Sites do not directly correspond to servers, however, and it's not known how many of those sites were actually vulnerable.

What is known is that on July 19, 2000, nearly 360,000 servers were compromised by a modified version of Code Red, according to the Cooperative Association for Internet Data Analysis. Evidence at the time indicated that the worm saturated the Internet, infecting almost every server that was vulnerable and accessible.

There may be hints that just such a worm is already under development in the Internet underground, Maiffret said.

A program that makes use of the vulnerability to compromise systems, a tool known as an exploit, has been circulated among security professionals and hackers on the Internet. One part of the code includes a function to generate random Internet addresses, useful to a worm program or automated scanner for selecting the next victim from the Internet at large, Maiffret said.

The actual exploit apparently doesn't use the function, leaving some security experts speculating that it could be part of an unfinished program.

"Right now, we're waiting to see what happens," Maiffret said. "Nothing so far, but everybody is watching for it."

Online vandals intent on building such a worm will not find the job easy. Where the index server ISAPI flaw could easily be exploited by a simple program, an online vandal looking to create a PHP worm would have a lot more work to do, said Rasmus Lerdorf, a PHP project member.

Because different versions of the software are susceptible to a different subset of the flaws, a worm would have to be programmed to detect the configuration of each host and attack with the right piece of code.

"They would have to write four or five exploits," Lerdorf said. "They would need to know a lot more. All you had to do with the (Code Red flaw) is put colon-colon after a URL, and poof, you screw up the Web server."

In addition, Web servers typically run with limited privileges, not in "super user" mode, which allows nearly unlimited privileges to those with access. On properly secured servers, that difference could make it much more difficult to control the infected computer.

That may play in the favor of PHP-enabled Web site administrators, said Stefan Esser, another member of the PHP Group and the author of the advisory on the scripting flaws.

"PHP is an open-source project, and users of open-source products are often--in my experience--more aware of security issues than users of Microsoft products," Esser said. "I am pretty sure open-source users will upgrade faster than Microsoft users. The most important sites all have upgraded by now."

Still, to stop potential worms from affecting the Internet, more than just the major Web sites need to upgrade.