[Helpc] CERT Advisory CA-2002-21 Vulnerability in PHP
- From: "Shaka( Rudy)" <strub.rudy@xxxxxxxxx>
- To: <helpc@xxxxxxxxxxxxx>
- Date: Tue, 23 Jul 2002 05:36:30 +0200
CERT Advisory CA-2002-21 Vulnerability in PHP
Original release date: July 22, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running PHP versions 4.2.0 or 4.2.1
Overview
A vulnerability has been discovered in PHP. This vulnerability
could
be used by a remote attacker to execute arbitrary code or crash
PHP
and/or the web server.
I. Description
PHP is a popular scripting language in widespread use.
The vulnerability occurs in the portion of PHP code responsible
for
handling file uploads, specifically multipart/form-data. By sending
a
specially crafted POST request to the web server, an attacker
can
corrupt the internal data structures used by PHP. Specifically,
an
intruder can cause an improperly initialized memory structure to
be
freed. In most cases, an intruder can use this flaw to crash PHP
or
the web server. Under some circumstances, an intruder may be able
to
take advantage of this flaw to execute arbitrary code with
the
privileges of the web server.
You may be aware that freeing memory at inappropriate times in
some
implementations of malloc and free does not usually result in
the
execution of arbitrary code. However, because PHP utilizes its
own
memory management system, the implementation of malloc and free
is
irrelevant to this problem.
Stefan Esser of e-matters GmbH has indicated that intruders
cannot
execute code on x86 systems. However, we encourage
system
administrators to apply patches on x86 systems as well to
guard
against denial-of-service attacks and as-yet-unknown attack
techniques
that may permit the execution of code on x86 architectures.
This vulnerability was discovered by e-matters GmbH and is
described
in detail in their advisory. The PHP Group has also issued
an
advisory. A list of vendors contacted by the CERT/CC and their
status
regarding this vulnerability is available in VU#929115.
Although this vulnerability only affects PHP 4.2.0 and
4.2.1,
e-matters GmbH has previously identified vulnerabilities in
older
versions of PHP. If you are running older versions of PHP,
we
encourage you to review
<http://security.e-matters.de/advisories/012002.html>
http://security.e-matters.de/advisories/012002.html
II. Impact
A remote attacker can execute arbitrary code on a vulnerable
system.
An attacker may not be able to execute code on x86 architectures
due
to the way the stack is structured. However, an attacker can
leverage
this vulnerability to crash PHP and/or the web server running on
an
x86 architecture.
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory.
As vendors report new information to the CERT/CC, we will update
this
section and note the changes in our revision history. If a
particular
vendor is not listed below, we have not received their
comments.
Please contact your vendor directly.
Upgrade to the latest version of PHP
If a patch is not available from your vendor, upgrade to
version
4.2.2.
Deny POST requests
Until patches or an update can be applied, you may wish to deny
POST
requests. The following workaround is taken from the PHP
Security
Advisory:
If the PHP applications on an affected web server do not rely on
HTTP POST input from user agents, it is often possible to deny POST
requests on the web server.
In the Apache web server, for example, this is possible with the
following code included in the main configuration file or a
top-level .htaccess file:
<Limit POST>
Order deny,allow
Deny from all
</Limit>
Note that an existing configuration and/or .htaccess file may have
parameters contradicting the example given above.
Disable vulnerable service
Until you can upgrade or apply patches, you may wish to disable
PHP.
As a best practice, the CERT/CC recommends disabling all services
that
are not explicitly required. Before deciding to disable PHP,
carefully
consider your service requirements.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for
this
advisory. As vendors report new information to the CERT/CC, we
will
update this section and note the changes in our revision history. If
a
particular vendor is not listed below, we have not received
their
comments.
Apple Computer Inc.
Mac OS X and Mac OS X Server are shipping with PHP
version
4.1.2 which does not contain the vulnerability described
in
this alert.
Caldera
Caldera OpenLinux does not provide either vulnerable
version
(4.2.0, 4.2.1) of PHP in their products. Therefore,
Caldera
products are not vulnerable to this issue.
Compaq Computer Corporation
SOURCE: Compaq Computer Corporation, a wholly-owned
subsidiary
of Hewlett-Packard Company and Hewlett-Packard Company
HP
Services Software Security Response Team
x-ref: SSRT2300 php post requests
At the time of writing this document, Compaq is
currently
investigating the potential impact to Compaq's
released
Operating System software products.
As further information becomes available Compaq will
provide
notice of the availability of any necessary patches
through
standard security bulletin announcements and be available
from
your normal HP Services supportchannel.
Cray Inc.
Cray, Inc. does not supply PHP on any of its systems.
Debian
Debian GNU/Linux stable aka 3.0 is not vulnerable.
Debian GNU/Linux testing is not vulnerable.
Debian GNU/Linux unstable is vulnerable.
The problem effects PHP versions 4.2.0 and 4.2.1. Woody
ships
an older version of PHP (4.1.2), that doesn't contain
the
vulnerable function.
FreeBSD
FreeBSD does not include any version of PHP by default, and
so
is not vulnerable; however, the FreeBSD Ports Collection
does
contain the PHP4 package. Updates to the PHP4 package are
in
progress and a corrected package will be available in the
near
future.
Guardian Digital
Guardian Digital has not shipped PHP 4.2.x in any versions
of
EnGarde, therefore we are not believed to be vulnerable at
this
time.
Hewlett-Packard Company
SOURCE: Hewlett-Packard Company Security Response Team
At the time of writing this document, Hewlett Packard
is
currently investigating the potential impact to HP's
released
Operating System software products.
As further information becomes available HP will provide
notice
of the availability of any necessary patches through
standard
security bulletin announcements and be available from
your
normal HP Services support channel.
IBM
IBM is not vulnerable to the above vulnerabilities in PHP.
We
do supply the PHP packages for AIX through the AIX Toolbox
for
Linux Applications. However, these packages are at 4.0.6
and
also incorporate the security patch from 2/27/2002.
Mandrakesoft
Mandrake Linux does not ship with PHP version 4.2.x and as
such
is not vulnerable. The Mandrake Linux cooker does
currently
contain PHP 4.2.1 and will be updated shortly, but
cooker
should not be used in a production environment and no
advisory
will be issued.
Microsoft Corporation
Microsoft products are not affected by the issues detailed
in
this advisory.
Network Appliance
No Netapp products are vulnerable to this.
Red Hat Inc.
None of our commercial releases ship with vulnerable
versions
of PHP (4.2.0, 4.2.1).
SuSE Inc.
SuSE Linux is not vulnerable to this problem, as we do not
ship
PHP 4.2.x.
_________________________________________________________________
The CERT/CC acknowledges e-matters GmbH for discovering and
reporting
this vulnerability.
_________________________________________________________________
Author: Ian A. Finlay.
--->>>
Shaka( Rudy)
HelPC list owner
shaka.rudy@xxxxxxxxx
Other related posts:
- » [Helpc] CERT Advisory CA-2002-21 Vulnerability in PHP
