| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dotslash at snosoft.com (KF) Subject: PHP Exploit Out of curriosity who did the verification that this was not exploitable on IA32? The same guys that determined x86 apache was not exploitable? Were a range of OS's tested or just one OS with an IA32 processor? Should we take their word? -KF Paul Tinsley wrote: >Sorry if this was already posted but, this is a serious vulnerability given >the wide spread use of PHP, and the plenty of people that have it on by >default that don't actually use it. > >For those that are familiar with http://www.apachetoolbox.com, a build tool >for apache, It was patched at 8:46 this morning: > >v1.5.59 07/22/02 > PDFLib patch sent in by Dominique Massonie. Updated PHP > to v4.2.2. > >Venerability Text from PHP site: > >http://www.php.net/release_4_2_2.php > >Issued on: July 22, 2002 >Software: PHP versions 4.2.0 and 4.2.1 >Platforms: All > > >The PHP Group has learned of a serious security vulnerability in PHP >versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code >with the privileges of the web server. This vulnerability may be exploited >to compromise the web server and, under certain conditions, to gain >privileged access. > >Description >PHP contains code for intelligently parsing the headers of HTTP POST >requests. The code is used to differentiate between variables and files sent >by the user agent in a "multipart/form-data" request. This parser has >insufficient input checking, leading to the vulnerability. > >The vulnerability is exploitable by anyone who can send HTTP POST requests >to an affected web server. Both local and remote users, even from behind >firewalls, may be able to gain privileged access. > >Impact >Both local and remote users may exploit this vulnerability to compromise the >web server and, under certain conditions, to gain privileged access. So far >only the IA32 platform has been verified to be safe from the execution of >arbitrary code. The vulnerability can still be used on IA32 to crash PHP >and, in most cases, the web server. > >Solution >The PHP Group has released a new PHP version, 4.2.2, which incorporates a >fix for the vulnerability. All users of affected PHP versions are encouraged >to upgrade to this latest version. The downloads web site at > >http://www.php.net/downloads.php >has the new 4.2.2 source tarballs, Windows binaries and source patches from >4.2.0 and 4.2.1 available for download. > >Workaround >If the PHP applications on an affected web server do not rely on HTTP POST >input from user agents, it is often possible to deny POST requests on the >web server. > >In the Apache web server, for example, this is possible with the following >code included in the main configuration file or a top-level .htaccess file: > ><Limit POST> > Order deny,allow > Deny from all ></Limit> > >Note that an existing configuration and/or .htaccess file may have >parameters contradicting the example given above. > >Credits >The PHP Group would like to thank Stefan Esser of e-matters GmbH for >discovering this vulnerability. e-matters GmbH has also released an >independent advisory, describing the vulnerability in more detail. > >-- >Paul Tinsley >paul.tinsley@...ve.com >_______________________________________________ >Full-Disclosure - We believe in it. >Full-Disclosure@...ts.netsys.com >http://lists.netsys.com/mailman/listinfo/full-disclosure > > > >
Powered by blists - more mailing lists