PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1

From: Marko Karppinen (markonenat_private)
Date: Mon Jul 22 2002 - 03:59:57 PDT

Next message: e-matters Security: "Advisory 02/2002: PHP remote vulnerability"

Previous message: Dr. Peter Bieringer: "[Full-Disclosure] Pyramid BenHur Firewall active FTP portfilter ruleset results in a firewall leak"
Next in thread: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
Reply: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1


Issued on: July 22, 2002
Software:  PHP versions 4.2.0 and 4.2.1
Platforms: All


   The PHP Group has learned of a serious security vulnerability in PHP
   versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
   code with the privileges of the web server. This vulnerability may be
   exploited to compromise the web server and, under certain conditions,
   to gain privileged access.


Description

   PHP contains code for intelligently parsing the headers of HTTP POST
   requests. The code is used to differentiate between variables and files
   sent by the user agent in a "multipart/form-data" request. This parser
   has insufficient input checking, leading to the vulnerability.

   The vulnerability is exploitable by anyone who can send HTTP POST
   requests to an affected web server. Both local and remote users, even
   from behind firewalls, may be able to gain privileged access.


Impact

   Both local and remote users may exploit this vulnerability to compromise
   the web server and, under certain conditions, to gain privileged access.
   So far only the IA32 platform has been verified to be safe from the
   execution of arbitrary code. The vulnerability can still be used on IA32
   to crash PHP and, in most cases, the web server.


Solution

   The PHP Group has released a new PHP version, 4.2.2, which incorporates
   a fix for the vulnerability. All users of affected PHP versions are
   encouraged to upgrade to this latest version. The downloads web site at

      http://www.php.net/downloads.php
   
   has the new 4.2.2 source tarballs, Windows binaries and source patches
   from 4.2.0 and 4.2.1 available for download.
 
 
Workaround

   If the PHP applications on an affected web server do not rely on HTTP
   POST input from user agents, it is often possible to deny POST requests
   on the web server.

   In the Apache web server, for example, this is possible with the
   following code included in the main configuration file or a top-level
   .htaccess file:

      <Limit POST>
          Order deny,allow
          Deny from all
      </Limit>
    
   Note that an existing configuration and/or .htaccess file may have
   parameters contradicting the example given above.

 
Credits

   The PHP Group would like to thank Stefan Esser of e-matters GmbH for
   discovering this vulnerability.
   

Copyright (c) 2002 The PHP Group.

Next message: e-matters Security: "Advisory 02/2002: PHP remote vulnerability"
Previous message: Dr. Peter Bieringer: "[Full-Disclosure] Pyramid BenHur Firewall active FTP portfilter ruleset results in a firewall leak"
Next in thread: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
Reply: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 06:42:46 PDT