Date: Tue, 23 Jul 2002 11:31:51 -0700 From: "chris" <lists@powernet.net> To: <freebsd-questions@freebsd.org> Subject: Vulnerability in PHP Clarification? Message-ID: <007a01c23277$371ade80$a701a8c0@reno.powernet.net>
next in thread | raw e-mail | index | archive | help
Can anyone clarify this a bit? I see that they state that 4.2.0 and 4.2.1 are vulnerable. If you goto the link provided http://security.e-matters.de/advisories/012002.html It states that the older versions are vulnerable and that the 4.2 tree is not affected. Not to mention that link is dated 5months old! What is right? -Chris ----- Original Message ----- From: "CERT Advisory" <cert-advisory@cert.org> To: <cert-advisory@cert.org> Sent: Monday, July 22, 2002 4:09 PM Subject: CERT Advisory CA-2002-21 Vulnerability in PHP > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2002-21 Vulnerability in PHP > > Original release date: July 22, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Systems running PHP versions 4.2.0 or 4.2.1 > > Overview > > A vulnerability has been discovered in PHP. This vulnerability could > be used by a remote attacker to execute arbitrary code or crash PHP > and/or the web server. > > I. Description > > PHP is a popular scripting language in widespread use. For more > information about PHP, see > > http://www.php.net/manual/en/faq.general.php > > The vulnerability occurs in the portion of PHP code responsible for > handling file uploads, specifically multipart/form-data. By sending a > specially crafted POST request to the web server, an attacker can > corrupt the internal data structures used by PHP. Specifically, an > intruder can cause an improperly initialized memory structure to be > freed. In most cases, an intruder can use this flaw to crash PHP or > the web server. Under some circumstances, an intruder may be able to > take advantage of this flaw to execute arbitrary code with the > privileges of the web server. > > You may be aware that freeing memory at inappropriate times in some > implementations of malloc and free does not usually result in the > execution of arbitrary code. However, because PHP utilizes its own > memory management system, the implementation of malloc and free is > irrelevant to this problem. > > Stefan Esser of e-matters GmbH has indicated that intruders cannot > execute code on x86 systems. However, we encourage system > administrators to apply patches on x86 systems as well to guard > against denial-of-service attacks and as-yet-unknown attack techniques > that may permit the execution of code on x86 architectures. > > This vulnerability was discovered by e-matters GmbH and is described > in detail in their advisory. The PHP Group has also issued an > advisory. A list of vendors contacted by the CERT/CC and their status > regarding this vulnerability is available in VU#929115. > > Although this vulnerability only affects PHP 4.2.0 and 4.2.1, > e-matters GmbH has previously identified vulnerabilities in older > versions of PHP. If you are running older versions of PHP, we > encourage you to review > http://security.e-matters.de/advisories/012002.html > > II. Impact > > A remote attacker can execute arbitrary code on a vulnerable system. > An attacker may not be able to execute code on x86 architectures due > to the way the stack is structured. However, an attacker can leverage > this vulnerability to crash PHP and/or the web server running on an > x86 architecture. > > III. Solution > > Apply a patch from your vendor > > Appendix A contains information provided by vendors for this advisory. > As vendors report new information to the CERT/CC, we will update this > section and note the changes in our revision history. If a particular > vendor is not listed below, we have not received their comments. > Please contact your vendor directly. > > Upgrade to the latest version of PHP > > If a patch is not available from your vendor, upgrade to version > 4.2.2. > > Deny POST requests > > Until patches or an update can be applied, you may wish to deny POST > requests. The following workaround is taken from the PHP Security > Advisory: > > If the PHP applications on an affected web server do not rely on > HTTP POST input from user agents, it is often possible to deny POST > requests on the web server. > > In the Apache web server, for example, this is possible with the > following code included in the main configuration file or a > top-level .htaccess file: > > <Limit POST> > Order deny,allow > Deny from all > </Limit> > > Note that an existing configuration and/or .htaccess file may have > parameters contradicting the example given above. > > Disable vulnerable service > > Until you can upgrade or apply patches, you may wish to disable PHP. > As a best practice, the CERT/CC recommends disabling all services that > are not explicitly required. Before deciding to disable PHP, carefully > consider your service requirements. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apple Computer Inc. > > Mac OS X and Mac OS X Server are shipping with PHP version > 4.1.2 which does not contain the vulnerability described in > this alert. > > Caldera > > Caldera OpenLinux does not provide either vulnerable version > (4.2.0, 4.2.1) of PHP in their products. Therefore, Caldera > products are not vulnerable to this issue. > > Compaq Computer Corporation > > SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary > of Hewlett-Packard Company and Hewlett-Packard Company HP > Services Software Security Response Team > x-ref: SSRT2300 php post requests > At the time of writing this document, Compaq is currently > investigating the potential impact to Compaq's released > Operating System software products. > As further information becomes available Compaq will provide > notice of the availability of any necessary patches through > standard security bulletin announcements and be available from > your normal HP Services supportchannel. > > Cray Inc. > > Cray, Inc. does not supply PHP on any of its systems. > > Debian > > Debian GNU/Linux stable aka 3.0 is not vulnerable. > Debian GNU/Linux testing is not vulnerable. > Debian GNU/Linux unstable is vulnerable. > The problem effects PHP versions 4.2.0 and 4.2.1. Woody ships > an older version of PHP (4.1.2), that doesn't contain the > vulnerable function. > > FreeBSD > > FreeBSD does not include any version of PHP by default, and so > is not vulnerable; however, the FreeBSD Ports Collection does > contain the PHP4 package. Updates to the PHP4 package are in > progress and a corrected package will be available in the near > future. > > Guardian Digital > > Guardian Digital has not shipped PHP 4.2.x in any versions of > EnGarde, therefore we are not believed to be vulnerable at this > time. > > Hewlett-Packard Company > > SOURCE: Hewlett-Packard Company Security Response Team > At the time of writing this document, Hewlett Packard is > currently investigating the potential impact to HP's released > Operating System software products. > As further information becomes available HP will provide notice > of the availability of any necessary patches through standard > security bulletin announcements and be available from your > normal HP Services support channel. > > IBM > > IBM is not vulnerable to the above vulnerabilities in PHP. We > do supply the PHP packages for AIX through the AIX Toolbox for > Linux Applications. However, these packages are at 4.0.6 and > also incorporate the security patch from 2/27/2002. > > Mandrakesoft > > Mandrake Linux does not ship with PHP version 4.2.x and as such > is not vulnerable. The Mandrake Linux cooker does currently > contain PHP 4.2.1 and will be updated shortly, but cooker > should not be used in a production environment and no advisory > will be issued. > > Microsoft Corporation > > Microsoft products are not affected by the issues detailed in > this advisory. > > Network Appliance > > No Netapp products are vulnerable to this. > > Red Hat Inc. > > None of our commercial releases ship with vulnerable versions > of PHP (4.2.0, 4.2.1). > > SuSE Inc. > > SuSE Linux is not vulnerable to this problem, as we do not ship > PHP 4.2.x. > _________________________________________________________________ > > The CERT/CC acknowledges e-matters GmbH for discovering and reporting > this vulnerability. > _________________________________________________________________ > > Author: Ian A. Finlay. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-21.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > July 22, 2002: Initial release > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPTyOVqCVPMXQI2HJAQGK6QQAp1rR7K18PNxpQZvqKPYWxyrtpiT8mmKN > UuyERmOoX+5MAwH0hbAWCvVcyLH0gKGbTpBkRgToT8IEHZojwHCzqOaMM9kni/FG > QEVeznLfBX4GIgZGPu0XWlph3ZqaayWln57eGueYZ26zBuriIUu2cUCmyYGQkqlI > tuZdnDqUmR0= > =+829 > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007a01c23277$371ade80$a701a8c0>