This has been sent out by CERT as well. However, I'd be curious to find an administrator who isn't on either CERT or Bugtraq though, especially one who administers multiple systems as many of us do.
- John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See "disproven scientific theories" and Romans 1:22. >-----Original Message----- >From: R. DuFresne [mailto:[EMAIL PROTECTED]] >Sent: 28 February 2002 00:28 >To: [EMAIL PROTECTED] >Subject: Advisory 012002: PHP remote vulnerabilities (fwd) > > > >Considering the plethroa of php users on the list, and the >fact many are >perhaps not reading bugtraq: > >---------- Forwarded message ---------- >From: [EMAIL PROTECTED] >Subject: Advisory 012002: PHP remote vulnerabilities >Date: Wed, 27 Feb 2002 12:30:56 +0100 >To: [EMAIL PROTECTED], [EMAIL PROTECTED] > > e-matters GmbH > www.e-matters.de > > -= Security Advisory =- > > > > Advisory: Multiple Remote Vulnerabilites within PHP's >fileupload code > Release Date: 2002/02/27 >Last Modified: 2002/02/27 > Author: Stefan Esser [[EMAIL PROTECTED]] > > Application: PHP v3.10-v3.18, v4.0.1-v4.1.1 > Severity: Several vulnerabilities in PHP's fileupload code allow > remote compromise > Risk: Critical >Vendor Status: Patches Released > Reference: http://security.e-matters.de/advisories/012002.html > > > >Overview: > > We found several flaws in the way PHP handles >multipart/form-data POST > requests. Each of the flaws could allow an attacker to >execute arbitrary > code on the victim's system. > > >Details: > > PHP supports multipart/form-data POST requests (as >described in RFC1867) > known as POST fileuploads. Unfourtunately there are several >flaws in the > php_mime_split function that could be used by an attacker to execute > arbitrary code. During our research we found out that not >only PHP4 but > also older versions from the PHP3 tree are vulnerable. > > > The following is a list of bugs we found: > > PHP 3.10-3.18 > > - broken boundary check (hard to exploit) > - arbitrary heap overflow (easy exploitable) > > PHP 4.0.1-4.0.3pl1 > > - broken boundary check (hard to exploit) > - heap off by one (easy exploitable) > > PHP 4.0.2-4.0.5 > > - 2 broken boundary checks (one very easy and one hard >to exploit) > > PHP 4.0.6-4.0.7RC2 > > - broken boundary check (very easy to exploit) > > PHP 4.0.7RC3-4.1.1 > > - broken boundary check (hard to exploit) > > > Finally I want to mention that most of these vulnerabilities are > exploitable only on linux or solaris. But the heap off by >one is only > exploitable on x86 architecture and the arbitrary heap overflow in > PHP3 is exploitable on most OS and architectures. (This >includes *BSD) > > Users running PHP 4.2.0-dev from cvs are not vulnerable to >any of the > described bugs because the fileupload code was completly >rewritten for > the 4.2.0 branch. > > >Proof of Concept: > > e-matters is not going to release exploits for any of the discovered > vulnerabilities to the public. > > >Vendor Response: > > Because I am part of the php developer team there is not much I can > write here... > > 27th February 2002 - An updated version of php and the patch for > these vulnerabilities are now available at: > http://www.php.net/downloads.php > > >Recommendation: > > If you are running PHP 4.0.3 or above one way to workaround these > bugs is to disable the fileupload support within your php.ini > (file_uploads = Off) If you are running php as module keep in mind > to restart the webserver. Anyway you should better install the > fixed or a properly patched version to be safe. > > >Sidenotice: > > This advisory is so short because I don't want to give out more info > than is needed. > > Users running the developer version of php (4.2.0-dev) are not > vulnerable to these bugs because the fileupload support was >completly > rewritten for that branch. > > >GPG-Key: > > http://security.e-matters.de/gpg_key.asc > > pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam > Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6 > > >Copyright 2002 Stefan Esser. All rights reserved. > > > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
