[ GLSA 200410-04 ] PHP: Memory disclosure and arbitrary location file upload

From: Dan Margolis (krispykringle_at_gentoo.org)
Date: 10/06/04

  • Next message: 3APA3A: "Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability"
    Date: Tue, 05 Oct 2004 21:22:10 -0400
    To: gentoo-announce@lists.gentoo.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200410-04
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Normal
         Title: PHP: Memory disclosure and arbitrary location file upload
          Date: October 06, 2004
          Bugs: #64223
            ID: 200410-04

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Two bugs in PHP may allow the disclosure of portions of memory and
    allow remote attackers to upload files to arbitrary locations.

    Background
    ==========

    PHP is a general-purpose scripting language widely used to develop
    web-based applications. It can run inside a web server using the
    mod_php module or the CGI version of PHP, or can run stand-alone in a
    CLI.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 dev-php/php < 4.3.9 >= 4.3.9
      2 dev-php/mod_php < 4.3.9 >= 4.3.9
      3 dev-php/php-cgi < 4.3.9 >= 4.3.9
        -------------------------------------------------------------------
         3 affected packages on all of their supported architectures.
        -------------------------------------------------------------------

    Description
    ===========

    Stefano Di Paola discovered two bugs in PHP. The first is a parse error
    in php_variables.c that could allow a remote attacker to view the
    contents of the target machine's memory. Additionally, an array
    processing error in the SAPI_POST_HANDLER_FUNC() function inside
    rfc1867.c could lead to the $_FILES array being overwritten.

    Impact
    ======

    A remote attacker could exploit the first vulnerability to view memory
    contents. On a server with a script that provides file uploads, an
    attacker could exploit the second vulnerability to upload files to an
    arbitrary location. On systems where the HTTP server is allowed to
    write in a HTTP-accessible location, this could lead to remote
    execution of arbitrary commands with the rights of the HTTP server.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All PHP, mod_php and php-cgi users should upgrade to the latest stable
    version:

        # emerge sync

        # emerge -pv ">=dev-php/php-4.3.9"
        # emerge ">=dev-php/php-4.3.9"

        # emerge -pv ">=dev-php/mod_php-4.3.9"
        # emerge ">=dev-php/mod_php-4.3.9"

        # emerge -pv ">=dev-php/php-cgi-4.3.9"
        # emerge ">=dev-php/php-cgi-4.3.9"

    References
    ==========

      [ 1 ] Secunia Advisory
            http://secunia.com/advisories/12560/
      [ 2 ] BugTraq post regarding the php_variables.c issue
            http://www.securityfocus.com/archive/1/375294
      [ 3 ] BugTraq post regarding the rfc1867.c issue
            http://www.securityfocus.com/archive/1/375370

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200410-04.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2004 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/1.0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (Darwin)

    iQEVAwUBQWNIwbDO2aFJ9pv2AQJECgf7BBrP7OEsoGjgSR11YB4IFZwTXWsWUJO0
    WGAfY2VX9ZQNPFJ90Je0Vgb/j50ZR8lfNpg4sjqw/ohouXEsGgAFhckUuVgIvUsv
    xnmLSVt+cP/w2Gku/dGtQ8yOoi3++JhbIx0UiYv8pH4GcpjOfrJDDfI/ItmQKrCe
    sGswXjuhYO1pAugzTWpouLdpCofbCqGS23VJbIP0jW6YtsMaxKdI0AteWlBDFCo5
    0trpIZWdS5eY3wicoFG2y8Cj1zsmLhbUiY0YtYxsuQrw2vrLf6owZavUxSmrRe8R
    gSNbYNNsFT/vbfsuQcrtKCS2qI4IheK0/nZIbt9YBFEDqYH4UbUXLw==
    =Qhn7
    -----END PGP SIGNATURE-----


  • Next message: 3APA3A: "Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability"

    Relevant Pages

    • [Full-Disclosure] [ GLSA 200410-04 ] PHP: Memory disclosure and arbitrary location file upload
      ... allow remote attackers to upload files to arbitrary locations. ... PHP is a general-purpose scripting language widely used to develop ... A remote attacker could exploit the first vulnerability to view memory ...
      (Full-Disclosure)
    • [ GLSA 200410-04 ] PHP: Memory disclosure and arbitrary location file upload
      ... allow remote attackers to upload files to arbitrary locations. ... PHP is a general-purpose scripting language widely used to develop ... A remote attacker could exploit the first vulnerability to view memory ...
      (Full-Disclosure)
    • PHP uploads time out if file >4mb
      ... I have a PHP website where I can upload files fine if they are ... CGI Error ... Does anyone know why I can upload files through FTP fine and download ...
      (comp.programming)
    • Re: Secured hosting on a shared server--impossible?
      ... >> switched to the suPHP module (which acts as a wrapper, ... then put it in a MySQL database which we can lock up tight. ... > lot of folks have packages which want to upload files or create ... he who does not ask a question remains a fool forever" ...
      (comp.lang.php)
    • upload - permission question
      ... I have a few problems with permissions, to upload files to the server. ... If my destination folder is not in 777 mode, ... Is php considered as a 'user' or does it operate through apache? ...
      (php.general)