SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   PHP Vendors:   PHP Group
(Trustix Issues Fix) PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server
SecurityTracker Alert ID:  1003694
SecurityTracker URL:  http://securitytracker.com/id/1003694
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 28 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.10 - 3.18, 4.0.1 - 4.1.1
Description:   e-matters released a security advisory warning of multiple vulnerabilities in PHP. A remote user can execute arbitrary code on the web server.

It is reported that there are multiple flaws in the php_mime_split function that is used to process multipart/form-data POST requests.

The following flaws were reportedly identified. No technical details were provided.

In PHP 3.10-3.18, there is a broken boundary check that is apparently difficult to exploit and a heap overlow that is apparently easy to exploit.

In PHP 4.0.1-4.0.3pl1, there is a broken boundary check that is apparently difficult to exploit and a heap 'off by one' vulnerability that is apparently easy to exploit.

In PHP 4.0.2-4.0.5, there are reportedly two broken boundary checks (one very easy and one hard to exploit).

In PHP 4.0.6-4.0.7RC2, there is an easily exploitable broken boundary check.

In PHP 4.0.7RC3-4.1.1, there is a broken boundary check that is apparently difficult to exploit.
Impact:   A remote user can execute arbitrary code on the web server with the privileges of the web server.
Solution:   The vendor has released a fix, available at:

<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>

Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.

The MD5sums of the packages are:

e24fcaea112eb65d8bb0e83160714eb1 ./1.5/SRPMS/mod_php4-4.0.6-8tr.src.rpm
7b43397d31763a1606b1107e33592bc1 ./1.5/RPMS/mod_php4-pgsql-4.0.6-8tr.i586.rpm
87faf30b85be317a63b1269295c2f38b ./1.5/RPMS/mod_php4-mysql-4.0.6-8tr.i586.rpm
0104ff0a8bda184e98e74b1a04612ae7 ./1.5/RPMS/mod_php4-ldap-4.0.6-8tr.i586.rpm
2203998823278dfd7feff06e1d769be1 ./1.5/RPMS/mod_php4-4.0.6-8tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5 ./1.2/SRPMS/mod_php3-3.0.18-1tr.src.rpm
9b9d54dba3a2ae38839df03efd97e128 ./1.2/RPMS/mod_php3-3.0.18-1tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5 ./1.1/SRPMS/mod_php3-3.0.18-1tr.src.rpm
b0a7ad2cbfda114a4c4fc993128609bd ./1.1/RPMS/mod_php3-3.0.18-1tr.i586.rpm
Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Trustix)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 27 2002 PHP File Upload Bugs Let Remote Users Execute Arbitrary Code on a PHP-enabled Web Server


 Source Message Contents
Date:  Thu, 28 Feb 2002 16:46:26 +0100
Subject:  TSLSA-2002-0033 - mod_php


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0033

Package name:      mod_php{3,4}
Summary:           Security fix
Date:              2002-02-28
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  The php-package in TSL 1.1 and 1.2, had the following issues: 
  - broken boundary check (hard to exploit)
  - arbitrary heap overflow  (easy exploitable)
  These are now fixed. Also we upgraded from 3.0.17 to 3.0.18.
  The mod_php4 package in TSL 1.5 had the following issue:
  - broken boundary check (very easy to exploit, but not an issue in the
  default TSL configuration). This issue has also been adressed.

Action:
  We recommend that all systems with this package installed are upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/> and
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0033-mod_phpX.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
e24fcaea112eb65d8bb0e83160714eb1  ./1.5/SRPMS/mod_php4-4.0.6-8tr.src.rpm
7b43397d31763a1606b1107e33592bc1  ./1.5/RPMS/mod_php4-pgsql-4.0.6-8tr.i586.rpm
87faf30b85be317a63b1269295c2f38b  ./1.5/RPMS/mod_php4-mysql-4.0.6-8tr.i586.rpm
0104ff0a8bda184e98e74b1a04612ae7  ./1.5/RPMS/mod_php4-ldap-4.0.6-8tr.i586.rpm
2203998823278dfd7feff06e1d769be1  ./1.5/RPMS/mod_php4-4.0.6-8tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5  ./1.2/SRPMS/mod_php3-3.0.18-1tr.src.rpm
9b9d54dba3a2ae38839df03efd97e128  ./1.2/RPMS/mod_php3-3.0.18-1tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5  ./1.1/SRPMS/mod_php3-3.0.18-1tr.src.rpm
b0a7ad2cbfda114a4c4fc993128609bd  ./1.1/RPMS/mod_php3-3.0.18-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8fjv0wRTcg4BxxS0RAix9AJ9v8SIVBTUFcqYvhSntBFh1NcmE1wCfaKbB
brzjYGrmwzUGUvruzWy85ps=
=ie0j
-----END PGP SIGNATURE-----

_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo.cgi/tsl-announce


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC