Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Software > Software Security
Register

Reply
 
LinkBack Thread Tools
Old 04.03.2002, 20:20   #1
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post PHP remote vulnerabilities

PHP remote vulnerabilities




Release Date: 2002/02/27
Author: Stefan Esser [[email protected]]
Application: PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
Severity: Several vulnerabilities in PHP's fileupload code allow remote compromise
Risk: Critical
Reference: http://security.e-matters.de/advisories/012002.html
Last Modified: 2002/02/28





Overview

We found several flaws in the way PHP handles multipart/form-data POST requests. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.




Details

PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfourtunately there are several flaws in the php_mime_split function that could be used by an attacker to execute arbitrary code. During our research we found out that not only PHP4 but also older versions from the PHP3 tree are vulnerable.

The following is a list of bugs we found:

PHP 3.0.10-3.0.18

- broken boundary check (hard to exploit)
- arbitrary heap overflow (easy exploitable)

PHP 4.0.1-4.0.3pl1

- broken boundary check (hard to exploit)
- heap off by one (easy exploitable)

PHP 4.0.2-4.0.5

- 2 broken boundary checks (one very easy and one hard to exploit)

PHP 4.0.6-4.0.7RC2

- broken boundary check (very easy to exploit)

PHP 4.0.7RC3-4.1.1

- broken boundary check (hard to exploit)

Finally I want to mention that the boundary check vulnerabilities are only exploitable on linux or solaris. The heap off by one is only exploitable on linux(maybe solaris)x86 and the arbitrary heap overflow in PHP3 is exploitable on most OS and architectures. (This includes *BSD, Windows, Linux, Solaris)

Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch.

Please notice, that you are not only vulnerable if you run scripts that use uploaded files. You are vulnerable if you run any script! If you have PHP only installed but there is no script on your server you are not vulnerable.

Please notice also, that the PHP team now learned that there is really a badly working exploit circulating in the underground. At the time this advisory was originaly posted we only heard rumours.




Proof of Concept

e-matters is not going to release exploits for any of the discovered vulnerabilities to the public.




Vendor Response

Because I am part of the php developer team there is not much I can write here...

27 February 2002 An updated version of php and the patch for these vulnerabilites are now available at: http://www.php.net/downloads.php





Recommendation

If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running php as module keep in mind to restart the webserver. Anyway you should better install the fixed or a properly patched version to be safe.




Sidenotice

This advisory is so short because I don't want to give out more info than is needed.
Users running the developer version of php (4.2.0-dev) are not vulnerable to these bugs because the fileupload support was completly rewritten for that branch.



Copyright 2002 Stefan Esser. All rights reserved.




-------------------------------------

Teper' esli kto-to naidet exploid ili napi****, to freenetu esli on ne updatil php KRISHKA
__________________
Праздник к нам приходит...

|^^^^^^^^^'''^\| ||\__
| ВОДКА-ВОДКА | ||','''|'''''''\_____,_
| _..... _ | ||_ _|'__|_____||.........| |
'(@)'(@)'(@)''''''''''''''''''''''*|(@)""""|(@)*
Reply With Quote
Reply

Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 03:46.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.