[NEWS] Additional Details Released on PHP Security Vulnerability in Multipart FORM Data Handling

From: support@securiteam.com
Date: 07/22/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 22 Jul 2002 18:27:55 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Additional Details Released on PHP Security Vulnerability in Multipart
FORM Data Handling
------------------------------------------------------------------------

SUMMARY

As we reported in our previous advisory:
<http://www.securiteam.com/securitynews/5XP0N0K7PY.html> PHP Security
Vulnerability in Multipart FORM Data Handling, a security vulnerability in
PHP would allow attackers to cause the product to execute arbitrary code.

DETAILS

Vulnerable systems:
 * PHP version 4.2.0
 * PHP version 4.2.1

Immune systems:
 * PHP version 4.2.2

PHP 4.2.0 introduced a completely rewritten multipart/form-data POST
handler. A malformed POST request can trigger an error condition that is
not correctly handled. Due to this bug, it could happen that an
uninitialised struct is appended to a linked list of mime headers. When
the list is cleaned or destroyed PHP tries to free the pointers that are
expected in the struct. Because of the lack of initialization, these
pointers contain stuff that was left on the stack by previous function
calls.

On the IA32 architecture (a.k.a. x86) it is not possible to control what
will end up in the uninitialised struct because of the stack layout. All
possible code paths leave illegal addresses within the struct and PHP will
crash when it tries to free them.

Unfortunately, the situation is different if you look on a Solaris Sparc
installation. Here it is possible for an attacker to free chunks of memory
that are full under his control. This is most probably the case for
several more non-IA32 architectures.

Please note that exploitability is not only limited to systems that are
running malloc()/free() implementations that are known to be vulnerable to
control structure overwrites. This is because the internal PHP memory
management implements its own linked list system that can be used to
overwrite nearly arbitrary memory addresses.

Recommendation:
If you are running PHP 4.2.x, you should upgrade as soon as possible,
especially if your server runs on a non IA32 CPU. If you cannot upgrade
for whatever reason the only way to workaround this, is to disable all
kinds of POST requests on your server.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@e-matters.de>
e-matters Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Php query string security
    ... > Yes I have read an awful lot now about php security and different ... the vulnerability occurs in a quite complicated setup. ... people who write unnessesarily complicated code, who overdesign software, ... are usually not security conscious. ...
    (comp.lang.php)
  • TSLSA-2005-0059 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... use of Rest with FTP servers and Range with HTTP servers to retrieve files ... - New Upstream and Multiple Vendor Security Fixes ...
    (Bugtraq)
  • [UNIX] Arbitrary Code Execution Vulnerability in Mantis
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mantis is an Open Source web-based bug ... tracking system, written in PHP, which uses the MySQL database server. ... A security vulnerability in the ...
    (Securiteam)
  • PHP Security!!! www.armorize.com
    ... Our product uses the most advanced static source code analysis for identifying vulnerabilities in PHP code. ... Our language parser and transformer creates an abstract model of the code through which it runs a series of program path, inter-procedural and data flow analyses after which it can tell you not only what line of code the vulnerability lies, but also highlights the tainted variable that introduced the bug and how it propagates throught the code to become a vulnerability. ... This provides an end to end illustration of the vulnerability, educates you regarding the dymanics of security problems in PHP and actually provides suggetions of how you should go abuout fixing the code. ... Purchase for one month and fix your entire code base, when you need to modify your application again, it will only cost you that month's subscription. ...
    (php.general)
  • Re: [PHP] Out source files
    ... >> server, and use URL fopen to read them, if you like. ... In several PHP security recommendation we can read "Do not let PHP ... a vulnerability of the application doesn't expose all the data to the ...
    (php.general)