OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mystarix (MystarixWANADOO.FR)
Date: Sun Jan 02 2000 - 13:39:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    PHP remote vulnerabilities

    Release Date: 2002/02/27
    Author: Stefan Esser [s.esserematters.de]
    Application: PHP v3.10-v3.18, v4.0.1-v4.1.1
    Severity: Several vulnerabilities in PHP's fileupload code allow remote
    compromise
    Risk: Critical
    Reference: http://security.e-matters.de/advisories/012002.html

    Overview

    We found several flaws in the way PHP handles multipart/form-data POST
    requests. Each of the flaws could allow an attacker to execute arbitrary
    code on the victim's system.

    Details

    PHP supports multipart/form-data POST requests (as described in RFC1867)
    known as POST fileuploads. Unfourtunately there are several flaws in the
    php_mime_split function that could be used by an attacker to execute
    arbitrary code. During our research we found out that not only PHP4 but also
    older versions from the PHP3 tree are vulnerable.

    The following is a list of bugs we found:

    PHP 3.10-3.18

    - broken boundary check (hard to exploit)
    - arbitrary heap overflow (easy exploitable)

    PHP 4.0.1-4.0.3pl1

    - broken boundary check (hard to exploit)
    - heap off by one (easy exploitable)

    PHP 4.0.2-4.0.5

    - 2 broken boundary checks (one very easy and one hard to exploit)

    PHP 4.0.6-4.0.7RC2

    - broken boundary check (very easy to exploit)

    PHP 4.0.7RC3-4.1.1

    - broken boundary check (hard to exploit)

    Finally I want to mention that most of these vulnerabilities are exploitable
    only on linux or solaris. But the heap off by one is only exploitable on x86
    architecture and the arbitrary heap overflow in PHP3 is exploitable on most
    OS and architectures. (This includes *BSD)

    Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the
    described bugs because the fileupload code was completly rewritten for the
    4.2.0 branch.

    Proof of Concept

    e-matters is not going to release exploits for any of the discovered
    vulnerabilities to the public.

     Vendor Response

    Because I am part of the php developer team there is not much I can write
    here...

    27 February 2002 An updated version of php and the patch for these
    vulnerabilites are now available at: http://www.php.net/downloads.php

    Recommendation

    If you are running PHP 4.0.3 or above one way to workaround these bugs is to
    disable the fileupload support within your php.ini (file_uploads = Off) If
    you are running php as module keep in mind to restart the webserver. Anyway
    you should better install the fixed or a properly patched version to be
    safe.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by VeriSign - The Internet Trust Company
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Do you have 128-bit SSL encryption server security?
    Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
    everything you need to know about using 128-bit SSL to encrypt your
    e-commerce transactions, secure your intranets and authenticate your Web
    site. 128-bit SSL is serious security for your online business. Get it now!
    http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo