From: nihat ciddi (ciddi@fisek.com.tr)
Date: Thu 28 Feb 2002 - 03:18:49 EET
---------- Forwarded message ----------
Date: Wednesday, February 27, 2002, 1:30:56 PM
From: security@e-matters.de <security@e-matters.de>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Subject: Advisory 012002: PHP remote vulnerabilities
semd> e-matters GmbH
semd> www.e-matters.de
semd> -= Security Advisory =-
semd> Advisory: Multiple Remote Vulnerabilites within PHP's fileupload code
semd> Release Date: 2002/02/27
semd> Last Modified: 2002/02/27
semd> Author: Stefan Esser [s.esser@e-matters.de]
semd> Application: PHP v3.10-v3.18, v4.0.1-v4.1.1
semd> Severity: Several vulnerabilities in PHP's fileupload code allow
semd> remote compromise
semd> Risk: Critical
semd> Vendor Status: Patches Released
semd> Reference: http://security.e-matters.de/advisories/012002.html
semd> Overview:
semd> We found several flaws in the way PHP handles multipart/form-data POST
semd> requests. Each of the flaws could allow an attacker to execute arbitrary
semd> code on the victim's system.
semd> Details:
semd> PHP supports multipart/form-data POST requests (as described in RFC1867)
semd> known as POST fileuploads. Unfourtunately there are several flaws in the
semd> php_mime_split function that could be used by an attacker to execute
semd> arbitrary code. During our research we found out that not only PHP4 but
semd> also older versions from the PHP3 tree are vulnerable.
semd> The following is a list of bugs we found:
semd> PHP 3.10-3.18
semd> - broken boundary check (hard to exploit)
semd> - arbitrary heap overflow (easy exploitable)
semd> PHP 4.0.1-4.0.3pl1
semd> - broken boundary check (hard to exploit)
semd> - heap off by one (easy exploitable)
semd> PHP 4.0.2-4.0.5
semd> - 2 broken boundary checks (one very easy and one hard to exploit)
semd> PHP 4.0.6-4.0.7RC2
semd> - broken boundary check (very easy to exploit)
semd> PHP 4.0.7RC3-4.1.1
semd> - broken boundary check (hard to exploit)
semd> Finally I want to mention that most of these vulnerabilities are
semd> exploitable only on linux or solaris. But the heap off by one is only
semd> exploitable on x86 architecture and the arbitrary heap overflow in
semd> PHP3 is exploitable on most OS and architectures. (This includes *BSD)
semd> Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the
semd> described bugs because the fileupload code was completly rewritten for
semd> the 4.2.0 branch.
semd> Proof of Concept:
semd> e-matters is not going to release exploits for any of the discovered
semd> vulnerabilities to the public.
semd> Vendor Response:
semd> Because I am part of the php developer team there is not much I can
semd> write here...
semd> 27th February 2002 - An updated version of php and the patch for
semd> these vulnerabilities are now available at:
semd> http://www.php.net/downloads.php
semd> Recommendation:
semd> If you are running PHP 4.0.3 or above one way to workaround these
semd> bugs is to disable the fileupload support within your php.ini
semd> (file_uploads = Off) If you are running php as module keep in mind
semd> to restart the webserver. Anyway you should better install the
semd> fixed or a properly patched version to be safe.
semd> Sidenotice:
semd> This advisory is so short because I don't want to give out more info
semd> than is needed.
semd> Users running the developer version of php (4.2.0-dev) are not
semd> vulnerable to these bugs because the fileupload support was completly
semd> rewritten for that branch.
semd> GPG-Key:
semd> http://security.e-matters.de/gpg_key.asc
semd> pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
semd> Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6
semd> Copyright 2002 Stefan Esser. All rights reserved.
---------------------------------------
nihat ciddi
ciddi@fisek.com.tr
-----------------------------------------------------------------------
Liste üyeliğiniz ile ilgili her türlü işlem için
http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-guvenlik-request@linux.org.tr' adresine,
"Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz.
-----------------------------------------------------------------------