[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3D3C55FD.70109@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: PHP Exploit
Out of curriosity who did the verification that this was not exploitable
on IA32? The same guys that determined x86 apache was not exploitable?
Were a range of OS's tested or just one OS with an IA32 processor?
Should we take their word?
-KF
Paul Tinsley wrote:
>Sorry if this was already posted but, this is a serious vulnerability given
>the wide spread use of PHP, and the plenty of people that have it on by
>default that don't actually use it.
>
>For those that are familiar with http://www.apachetoolbox.com, a build tool
>for apache, It was patched at 8:46 this morning:
>
>v1.5.59 07/22/02
> PDFLib patch sent in by Dominique Massonie. Updated PHP
> to v4.2.2.
>
>Venerability Text from PHP site:
>
>http://www.php.net/release_4_2_2.php
>
>Issued on: July 22, 2002
>Software: PHP versions 4.2.0 and 4.2.1
>Platforms: All
>
>
>The PHP Group has learned of a serious security vulnerability in PHP
>versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code
>with the privileges of the web server. This vulnerability may be exploited
>to compromise the web server and, under certain conditions, to gain
>privileged access.
>
>Description
>PHP contains code for intelligently parsing the headers of HTTP POST
>requests. The code is used to differentiate between variables and files sent
>by the user agent in a "multipart/form-data" request. This parser has
>insufficient input checking, leading to the vulnerability.
>
>The vulnerability is exploitable by anyone who can send HTTP POST requests
>to an affected web server. Both local and remote users, even from behind
>firewalls, may be able to gain privileged access.
>
>Impact
>Both local and remote users may exploit this vulnerability to compromise the
>web server and, under certain conditions, to gain privileged access. So far
>only the IA32 platform has been verified to be safe from the execution of
>arbitrary code. The vulnerability can still be used on IA32 to crash PHP
>and, in most cases, the web server.
>
>Solution
>The PHP Group has released a new PHP version, 4.2.2, which incorporates a
>fix for the vulnerability. All users of affected PHP versions are encouraged
>to upgrade to this latest version. The downloads web site at
>
>http://www.php.net/downloads.php
>has the new 4.2.2 source tarballs, Windows binaries and source patches from
>4.2.0 and 4.2.1 available for download.
>
>Workaround
>If the PHP applications on an affected web server do not rely on HTTP POST
>input from user agents, it is often possible to deny POST requests on the
>web server.
>
>In the Apache web server, for example, this is possible with the following
>code included in the main configuration file or a top-level .htaccess file:
>
><Limit POST>
> Order deny,allow
> Deny from all
></Limit>
>
>Note that an existing configuration and/or .htaccess file may have
>parameters contradicting the example given above.
>
>Credits
>The PHP Group would like to thank Stefan Esser of e-matters GmbH for
>discovering this vulnerability. e-matters GmbH has also released an
>independent advisory, describing the vulnerability in more detail.
>
>--
>Paul Tinsley
>paul.tinsley@...ve.com
>_______________________________________________
>Full-Disclosure - We believe in it.
>Full-Disclosure@...ts.netsys.com
>http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
>
>
Powered by blists - more mailing lists