From owner-freebsd-security Wed Feb 27 6:15: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from spmler3.mail.eds.com (spmler3.mail.eds.com [194.128.225.186]) by hub.freebsd.org (Postfix) with ESMTP id 2A99437B402; Wed, 27 Feb 2002 06:14:45 -0800 (PST) Received: from spmlir1.mail.eds.com (spmlir1-2.mail.eds.com [192.168.1.6]) by spmler3.mail.eds.com (8.11.6/8.11.3) with ESMTP id g1REEVb15186; Wed, 27 Feb 2002 14:14:39 GMT Received: from nnse.eds.com (localhost [127.0.0.1]) by spmlir1.mail.eds.com (8.11.6/8.11.3) with ESMTP id g1REEUt19402; Wed, 27 Feb 2002 14:14:31 GMT Received: from gbspm002.exemhub.exch.eds.com ([207.37.51.200]) by nnse.eds.com (8.11.6/8.11.3) with ESMTP id g1REEUO17136; Wed, 27 Feb 2002 14:14:30 GMT Received: by GBSPM002 with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 14:14:29 -0000 Message-ID: From: "Van Beerschoten, Stephan" To: "'security@freebsd.org'" , "'isp@freebsd.org'" , "'ports@freebsd.org'" Subject: FW: HEADS UP: Security Alert For Apache / PHP Webservers Date: Wed, 27 Feb 2002 14:14:24 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I usually don't mail from my corporate account, but this needs some fast fixing on almost all FreeBSD/apache/php servers. -Stephan > -----Original Message----- > From: Bandell, Yaron > Sent: woensdag 27 februari 2002 15:12 > To: Van Beerschoten, Stephan > Subject: FW: HEADS UP: Security Alert For Apache / PHP Webservers > > > Damn, dit keer geen IIS buffer overflow exploit :( > > -----Original Message----- > From: Boyce, Nick > Sent: woensdag 27 februari 2002 14:40 > To: EMEA WebMaster > Subject: HEADS UP: Security Alert For Apache / PHP Webservers > > Security Alert - Apache/PHP - Release Date 27.Feb.2002 - Severe > > A security alert has been released relating to a remotely exploitable > security hole in PHP, and information is cirulating on public mailing > lists about methods & tools for exploiting the hole. The problem is not > in Apache itself, but in the optional PHP scripting module. This module > is widely used by Apache sites (it's the equivalent of IIS/ASP for Apache > sites), but is not always installed. > > The hole (holes actually - there are multiple problems) is/are serious and > allow(s) remote compromise (of the user running the webserver - maybe of > root - it's not imediately clear to me). A fixed version of PHP has been > produced and is available from http://www.php.net. > > Full details are at http://security.e-matters.de/advisories/012002.html, > but here's an extract : > > Overview > > We found several flaws in the way PHP handles multipart/form-data > POST requests. Each of the flaws could allow an attacker to execute > arbitrary code on the victim's system. > > > Details > > PHP supports multipart/form-data POST requests (as described in > RFC1867) known as POST fileuploads. Unfourtunately there are several flaws > in the php_mime_split function that could be used by an attacker to > execute arbitrary code. During our research we found out that not only > PHP4 but also older versions from the PHP3 tree are vulnerable. > [snip] > Finally I want to mention that most of these vulnerabilities are > exploitable only on linux or solaris. But the heap off by one is only > exploitable on x86 architecture and the arbitrary heap overflow in PHP3 is > exploitable on most OS and architectures. (This includes *BSD) > > > Nick > EDS Southwest Solution Centre, Bristol, UK > Internet email: nick.boyce@eds.com | tel: +44 117 989 2941 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message