[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] php remote exploit



Topic
=====
Multiple vulnerabilities in PHP could allow a remote attacker to execute
arbitrary code with the privileges of the PHP process.

Problem Description
===================
PHP supports multipart/form-data POST requests known as POST fileuploads.
There are several flaws in the php_mime_split function that could be used
by an attacker to execute arbitrary code. It was found that not only PHP4
but also older versions from the PHP3 tree are vulnerable.

 The following is a list of bugs we found:

   PHP 3.10-3.18
      - broken boundary check    (hard to exploit)
      - arbitrary heap overflow  (easy exploitable)

   PHP 4.0.1-4.0.3pl1
      - broken boundary check    (hard to exploit)
      - heap off by one          (easy exploitable)

   PHP 4.0.2-4.0.5
      - 2 broken boundary checks (one very easy and one hard to exploit)

   PHP 4.0.6-4.0.7RC2
      - broken boundary check    (very easy to exploit)

   PHP 4.0.7RC3-4.1.1
      - broken boundary check    (hard to exploit)

Immediate action is strongly advised.

Workaround
==========
For php-4.0.3 and higher you can disable fileuploads by setting 
file_uploads = Off
in your php.ini file. If you are running php as module keep in mind
to restart the webserver. Anyway you should better install the
fixed or a properly patched version to be safe.

Solution
========

RedHat 6.x
----------
rpm -Fvh php-3.0.18-8.i386.rpm \
         php-manual-3.0.18-8.i386.rpm \
         php-pgsql-3.0.18-8.i386.rpm \
         php-imap-3.0.18-8.i386.rpm \
         php-ldap-3.0.18-8.i386.rpm

RedHat 7.0
----------
rpm -Fvh php-4.0.6-9.7.0.i386.rpm \
         php-devel-4.0.6-9.7.0.i386.rpm
         php-imap-4.0.6-9.7.0.i386.rpm
         php-ldap-4.0.6-9.7.0.i386.rpm
         php-manual-4.0.6-9.7.0.i386.rpm
         php-mysql-4.0.6-9.7.0.i386.rpm
         php-pgsql-4.0.6-9.7.0.i386.rpm

RedHat 7.1
----------
rpm -Fvh php-4.0.6-9.7.1.i386.rpm \
         php-devel-4.0.6-9.7.1.i386.rpm \
         php-imap-4.0.6-9.7.1.i386.rpm \
         php-ldap-4.0.6-9.7.1.i386.rpm \
         php-manual-4.0.6-9.7.1.i386.rpm \
         php-mysql-4.0.6-9.7.1.i386.rpm \
         php-pgsql-4.0.6-9.7.1.i386.rpm

RedHat 7.2
----------
rpm -Fvh php-4.0.6-12.i386.rpm \
         php-devel-4.0.6-12.i386.rpm \
         php-imap-4.0.6-12.i386.rpm \
         php-ldap-4.0.6-12.i386.rpm \
         php-manual-4.0.6-12.i386.rpm \
         php-mysql-4.0.6-12.i386.rpm \
         php-odbc-4.0.6-12.i386.rpm \
         php-pgsql-4.0.6-12.i386.rpm

Mandrake 7.1
------------
rpm -Fvh php-4.0.6-5.8mdk.i586.rpm \
         php-common-4.0.6-5.8mdk.i586.rpm \
         php-devel-4.0.6-5.8mdk.i586.rpm
         
Mandrake 7.2
------------
rpm -Fvh php-4.0.6-5.7mdk.i586.rpm \
         php-common-4.0.6-5.7mdk.i586.rpm \
         php-devel-4.0.6-5.7mdk.i586.rpm

Mandrake 8.0
------------
rpm -Fvh php-4.0.6-5.6mdk.i586.rpm \
         php-common-4.0.6-5.6mdk.i586.rpm \
         php-devel-4.0.6-5.6mdk.i586.rpm

Mandrake 8.1
------------
rpm -Fvh php-4.0.6-5.5mdk.i586.rpm \
         php-common-4.0.6-5.5mdk.i586.rpm \
         php-devel-4.0.6-5.5mdk.i586.rpm