So yes, there is a problem – a big one, because it turns out there’s a vulnerability in the realization of “register_globals” in PHP. Hosting providers are starting to fix the bug; last night Masterhost, the biggest Russian hosting provider, sent the following message to all its clients
Translation:
This is to inform you that on 9th February 2009 the configuration of virtual hosting servers will be modified. The PHP register_globals directive will be disabled in line with recommendations from PHP developers and security specialists. The changes will affect the following sites and domains:
XXX
If your sites are using the most recent versions of popular CMS (such as Joomla, Wordpress, Drupal, Bitrix etc.) then you won’t notice the changes taking place and they won’t affect resource productivity. We recommend that you update your scripts when possible. If this is not possible or if you are in any doubt, you can secure yourself by enabling register_globals for the site by adding the .htaccess file to the www directory with the following directive:
Php_flag register_globals on
There is information about the register_globals directive on the PHP developers’ site:
http://ru.php.net/manual/ru/ini.core.php#ini.register-globals
The moral of this story? Check your sites, update your sites, tell your IT guys. And while you’re doing this, we’ll be keeping an eye out for the next Big Chinese Hack – the exploit for this vulnerability was released more than two weeks ago, but most hosting providers are still unpatched; a lot of Internet resources are going to take a beating over the next few days and weeks, and botnets are going to be increasing (again) in size. All the more so with the approach of February 14th, traditionally a time when the bad guys mobilize...
