SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   PHP Vendors:   PHP Group
PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server
SecurityTracker Alert ID:  1003676
SecurityTracker URL:  http://securitytracker.com/id/1003676
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 27 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.10 - 3.18, 4.0.1 - 4.1.1
Description:   e-matters released a security advisory warning of multiple vulnerabilities in PHP. A remote user can execute arbitrary code on the web server.

It is reported that there are multiple flaws in the php_mime_split function that is used to process multipart/form-data POST requests.

The following flaws were reportedly identified. No technical details were provided.

In PHP 3.10-3.18, there is a broken boundary check that is apparently difficult to exploit and a heap overlow that is apparently easy to exploit.

In PHP 4.0.1-4.0.3pl1, there is a broken boundary check that is apparently difficult to exploit and a heap 'off by one' vulnerability that is apparently easy to exploit.

In PHP 4.0.2-4.0.5, there are reportedly two broken boundary checks (one very easy and one hard to exploit).

In PHP 4.0.6-4.0.7RC2, there is an easily exploitable broken boundary check.

In PHP 4.0.7RC3-4.1.1, there is a broken boundary check that is apparently difficult to exploit.

Impact:   A remote user can execute arbitrary code on the web server with the privileges of the web server.
Solution:   The vendor has released a fixed version (4.1.2) and patches for existing versions, available at:

http://www.php.net/downloads.php

The author of the report indicates that users running PHP 4.0.3 or above can implement a workaround by disabling the fileupload support within your php.ini (file_uploads = Off).

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Trustix Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (tsl@trustix.com (Trustix Secure Linux Advisor))
The vendor has released a fix.
(Red Hat Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (bugzilla@redhat.com)
The vendor has released a fix.
(SuSE Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (Roman Drahtmueller <draht@suse.de>)
The vendor has released a fix.
(Mandrake Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (Mandrake Linux Security Team <security@linux-mandrake.com>)
The vendor has released a fix.
(Engarde Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (engarde-announce-admins@linuxsecurity.com)
The vendor has released a fix.
(Debian Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (joey@infodrom.org (Martin Schulze))
The vendor has released a fix.
(Slackware Issues Fix) Re: PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (Slackware Security Team <security@slackware.com>)
This is a follow-up message.
(Conectiva Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (secure@conectiva.com.br)
The vendor has released a fix.
(Red Hat Issues Revised Fix for Red Hat 7.x) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (bugzilla@redhat.com)
The vendor has released a revised fix for Red Hat 7.x.
(Compaq Issues Fix for Compaq Secure Web Server) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   ("Boren, Rich (SSRT)" <Rich.Boren@COMPAQ.com>)
The vendor has released a fix for Compaq Secure Web Server.
(Caldera Issues Fix for OpenLinux) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server   (security@caldera.com)
The vendor has released a fix.



 Source Message Contents

Date:  Wed, 27 Feb 2002 10:00:21 -0500
Subject:  PHP bugs


This is a multi-part message in MIME format.
--------------8514EABCD67DE96F3C2D3BA8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://security.e-matters.de/advisories/012002.txt
--------------8514EABCD67DE96F3C2D3BA8
Content-Type: text/plain; charset=us-ascii;
 name="012002.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="012002.txt"

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Multiple Remote Vulnerabilites within PHP's fileupload code
 Release Date: 2002/02/27
Last Modified: 2002/02/27
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: PHP v3.10-v3.18, v4.0.1-v4.1.1
     Severity: Several vulnerabilities in PHP's fileupload code allow
               remote compromise
         Risk: Critical
Vendor Status: Patches Released
    Reference: http://security.e-matters.de/advisories/012002.html



Overview:
	
   We found several flaws in the way PHP handles multipart/form-data POST 
   requests. Each of the flaws could allow an attacker to execute arbitrary 
   code on the victim's  system.
 
	
Details:

   PHP supports multipart/form-data POST requests (as described in RFC1867) 
   known as POST fileuploads. Unfourtunately there are several flaws in the
   php_mime_split function that could be used by an attacker to execute
   arbitrary code. During our research we found out that not only PHP4 but
   also older versions from the PHP3 tree are vulnerable.
   
   
   The following is a list of bugs we found:
   
   PHP 3.10-3.18
   
      - broken boundary check    (hard to exploit)
      - arbitrary heap overflow  (easy exploitable)
   
   PHP 4.0.1-4.0.3pl1
   
      - broken boundary check    (hard to exploit)
      - heap off by one          (easy exploitable)
      
   PHP 4.0.2-4.0.5
   
      - 2 broken boundary checks (one very easy and one hard to exploit)
      
   PHP 4.0.6-4.0.7RC2
   
      - broken boundary check    (very easy to exploit)
      
   PHP 4.0.7RC3-4.1.1
   
      - broken boundary check    (hard to exploit)


   Finally I want to mention that most of these vulnerabilities are 
   exploitable only on linux or solaris. But the heap off by one is only
   exploitable on x86 architecture and the arbitrary heap overflow in
   PHP3 is exploitable on most OS and architectures. (This includes *BSD)

   Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the
   described bugs because the fileupload code was completly rewritten for 
   the 4.2.0 branch. 
   

Proof of Concept:

   e-matters is not going to release exploits for any of the discovered
   vulnerabilities to the public. 
   

Vendor Response:

   Because I am part of the php developer team there is not much I can
   write here...

   27th February 2002 - An updated version of php and the patch for
                        these vulnerabilities are now available at:
                        http://www.php.net/downloads.php
		

Recommendation:

   If you are running PHP 4.0.3 or above one way to workaround these 
   bugs is to disable the fileupload support within your php.ini 
   (file_uploads = Off) If you are running php as module keep in mind
   to restart the webserver. Anyway you should better install the 
   fixed or a properly patched version to be safe.
   
   
Sidenotice: 

   This advisory is so short because I don't want to give out more info
   than is needed.
   
   Users running the developer version of php (4.2.0-dev) are not 
   vulnerable to these bugs because the fileupload support was completly
   rewritten for that branch.


GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2002 Stefan Esser. All rights reserved.



--------------8514EABCD67DE96F3C2D3BA8--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC