From owner-freebsd-questions Tue Jul 23 11:47:14 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29AE037B400 for ; Tue, 23 Jul 2002 11:47:09 -0700 (PDT) Received: from main.g-networks.net (main.g-networks.net [66.33.109.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B0C643E42 for ; Tue, 23 Jul 2002 11:47:08 -0700 (PDT) (envelope-from rodolfo@equinoxe.g-networks.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by main.g-networks.net (Postfix) with ESMTP id 24A2A7F035 for ; Tue, 23 Jul 2002 13:47:08 -0500 (CDT) Received: by main.g-networks.net (Postfix, from userid 1277) id 0CB967F10B; Tue, 23 Jul 2002 14:47:07 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by main.g-networks.net (Postfix) with ESMTP id 041647F035 for ; Tue, 23 Jul 2002 13:47:07 -0500 (CDT) Date: Tue, 23 Jul 2002 13:47:06 -0500 (CDT) From: Rodolfo Gonzalez X-X-Sender: rodolfo@main.g-networks.net To: freebsd-questions@freebsd.org Subject: CROSSPOST: [PHP] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by Global Networks Technologies Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ok, some asked for clarification on the security issue with PHP, so I'm doing this cross post from a PHP list with the official announcement. My apologies for the cross post. ---------- Forwarded message ---------- Date: Mon, 22 Jul 2002 16:49:01 +0300 From: Marko Karppinen To: php-general@lists.php.net, PHP-DEV , php-announce@lists.php.net Subject: [PHP] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Issued on: July 22, 2002 Software: PHP versions 4.2.0 and 4.2.1 Platforms: All The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access. Description PHP contains code for intelligently parsing the headers of HTTP POST requests. The code is used to differentiate between variables and files sent by the user agent in a "multipart/form-data" request. This parser has insufficient input checking, leading to the vulnerability. The vulnerability is exploitable by anyone who can send HTTP POST requests to an affected web server. Both local and remote users, even from behind firewalls, may be able to gain privileged access. Impact Both local and remote users may exploit this vulnerability to compromise the web server and, under certain conditions, to gain privileged access. So far only the IA32 platform has been verified to be safe from the execution of arbitrary code. The vulnerability can still be used on IA32 to crash PHP and, in most cases, the web server. Solution The PHP Group has released a new PHP version, 4.2.2, which incorporates a fix for the vulnerability. All users of affected PHP versions are encouraged to upgrade to this latest version. The downloads web site at http://www.php.net/downloads.php has the new 4.2.2 source tarballs, Windows binaries and source patches from 4.2.0 and 4.2.1 available for download. Workaround If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server. In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file: Order deny,allow Deny from all Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above. Credits The PHP Group would like to thank Stefan Esser of e-matters GmbH for discovering this vulnerability. Copyright (c) 2002 The PHP Group. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message