[NEWS] PHP Security Vulnerability in Multipart FORM Data Handling

From: support@securiteam.com
Date: 07/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 22 Jul 2002 18:06:06 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHP Security Vulnerability in Multipart FORM Data Handling
------------------------------------------------------------------------

SUMMARY

The PHP Group has learned of a serious security vulnerability in PHP
versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
code with the privileges of the web server. This vulnerability may be
exploited to compromise the web server and, under certain conditions, to
gain privileged access.

DETAILS

Vulnerable systems:
 * PHP versions 4.2.0 and 4.2.1

PHP contains code for intelligently parsing the headers of HTTP POST
requests. The code is used to differentiate between variables and files
sent by the user agent in a "multipart/form-data" request. This parser has
insufficient input checking, leading to the vulnerability.

The vulnerability is exploitable by anyone who can send HTTP POST requests
to an affected web server. Both local and remote users, even from behind
firewalls, may be able to gain privileged access.

Impact:
Both local and remote users may exploit this vulnerability to compromise
the web server and, under certain conditions, to gain privileged access.
So far, only the IA32 platform has been verified to be safe from the
execution of arbitrary code. The vulnerability can still be used on IA32
to crash PHP and, in most cases, the web server.

Solution:
The PHP Group has released a new PHP version, 4.2.2, which incorporates a
fix for the vulnerability. All users of affected PHP versions are
encouraged to upgrade to this latest version. The downloads web site at:
<http://www.php.net/downloads.php> http://www.php.net/downloads.php has
the new 4.2.2 source tarballs, Windows binaries, and source patches from
4.2.0 and 4.2.1 available for download.

Workaround:
If the PHP applications on an affected web server do not rely on HTTP POST
input from user agents, it is often possible to deny POST requests on the
web server.

In the Apache web server, for example, this is possible with the following
code included in the main configuration file or a top-level .htaccess
file:

      <Limit POST>
          Order deny,allow
          Deny from all
      </Limit>

Note that an existing configuration and/or .htaccess file may have
parameters contradicting the example given above.

ADDITIONAL INFORMATION

The information has been provided by <mailto:markonen@php.net> Marko
Karppinen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages