Date: Tue, 23 Jul 2002 12:32:12 -0600 From: Jason Porter <leporter@xmission.com> To: chris <lists@powernet.net> Cc: freebsd-questions@freebsd.org Subject: Re: Vulnerability in PHP Clarification? Message-ID: <3D3DA12C.30001@xmission.com> References: <007a01c23277$371ade80$a701a8c0@reno.powernet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.php.net Has a security warning posted on their site. It affects 4.2.0 and 4.2.1. An update to 4.2.2 is highly recommended. chris wrote: | Can anyone clarify this a bit? I see that they state that 4.2.0 and 4.2.1 | are vulnerable. | If you goto the link provided | http://security.e-matters.de/advisories/012002.html | It states that the older versions are vulnerable and that the 4.2 tree is | not affected. | Not to mention that link is dated 5months old! | What is right? | | -Chris | | | ----- Original Message ----- | From: "CERT Advisory" <cert-advisory@cert.org> | To: <cert-advisory@cert.org> | Sent: Monday, July 22, 2002 4:09 PM | Subject: CERT Advisory CA-2002-21 Vulnerability in PHP | | | |> |>-----BEGIN PGP SIGNED MESSAGE----- |> |>CERT Advisory CA-2002-21 Vulnerability in PHP |> |> Original release date: July 22, 2002 |> Last revised: -- |> Source: CERT/CC |> |> A complete revision history can be found at the end of this file. |> |>Systems Affected |> |> * Systems running PHP versions 4.2.0 or 4.2.1 |> |>Overview |> |> A vulnerability has been discovered in PHP. This vulnerability could |> be used by a remote attacker to execute arbitrary code or crash PHP |> and/or the web server. |> |>I. Description |> |> PHP is a popular scripting language in widespread use. For more |> information about PHP, see |> |> http://www.php.net/manual/en/faq.general.php |> |> The vulnerability occurs in the portion of PHP code responsible for |> handling file uploads, specifically multipart/form-data. By sending a |> specially crafted POST request to the web server, an attacker can |> corrupt the internal data structures used by PHP. Specifically, an |> intruder can cause an improperly initialized memory structure to be |> freed. In most cases, an intruder can use this flaw to crash PHP or |> the web server. Under some circumstances, an intruder may be able to |> take advantage of this flaw to execute arbitrary code with the |> privileges of the web server. |> |> You may be aware that freeing memory at inappropriate times in some |> implementations of malloc and free does not usually result in the |> execution of arbitrary code. However, because PHP utilizes its own |> memory management system, the implementation of malloc and free is |> irrelevant to this problem. |> |> Stefan Esser of e-matters GmbH has indicated that intruders cannot |> execute code on x86 systems. However, we encourage system |> administrators to apply patches on x86 systems as well to guard |> against denial-of-service attacks and as-yet-unknown attack techniques |> that may permit the execution of code on x86 architectures. |> |> This vulnerability was discovered by e-matters GmbH and is described |> in detail in their advisory. The PHP Group has also issued an |> advisory. A list of vendors contacted by the CERT/CC and their status |> regarding this vulnerability is available in VU#929115. |> |> Although this vulnerability only affects PHP 4.2.0 and 4.2.1, |> e-matters GmbH has previously identified vulnerabilities in older |> versions of PHP. If you are running older versions of PHP, we |> encourage you to review |> http://security.e-matters.de/advisories/012002.html |> |>II. Impact |> |> A remote attacker can execute arbitrary code on a vulnerable system. |> An attacker may not be able to execute code on x86 architectures due |> to the way the stack is structured. However, an attacker can leverage |> this vulnerability to crash PHP and/or the web server running on an |> x86 architecture. |> |>III. Solution |> |>Apply a patch from your vendor |> |> Appendix A contains information provided by vendors for this advisory. |> As vendors report new information to the CERT/CC, we will update this |> section and note the changes in our revision history. If a particular |> vendor is not listed below, we have not received their comments. |> Please contact your vendor directly. |> |>Upgrade to the latest version of PHP |> |> If a patch is not available from your vendor, upgrade to version |> 4.2.2. |> |>Deny POST requests |> |> Until patches or an update can be applied, you may wish to deny POST |> requests. The following workaround is taken from the PHP Security |> Advisory: |> |> If the PHP applications on an affected web server do not rely on |> HTTP POST input from user agents, it is often possible to deny POST |> requests on the web server. |> |> In the Apache web server, for example, this is possible with the |> following code included in the main configuration file or a |> top-level .htaccess file: |> |> <Limit POST> |> Order deny,allow |> Deny from all |> </Limit> |> |> Note that an existing configuration and/or .htaccess file may have |> parameters contradicting the example given above. |> |>Disable vulnerable service |> |> Until you can upgrade or apply patches, you may wish to disable PHP. |> As a best practice, the CERT/CC recommends disabling all services that |> are not explicitly required. Before deciding to disable PHP, carefully |> consider your service requirements. |> |>Appendix A. - Vendor Information |> |> This appendix contains information provided by vendors for this |> advisory. As vendors report new information to the CERT/CC, we will |> update this section and note the changes in our revision history. If a |> particular vendor is not listed below, we have not received their |> comments. |> |>Apple Computer Inc. |> |> Mac OS X and Mac OS X Server are shipping with PHP version |> 4.1.2 which does not contain the vulnerability described in |> this alert. |> |>Caldera |> |> Caldera OpenLinux does not provide either vulnerable version |> (4.2.0, 4.2.1) of PHP in their products. Therefore, Caldera |> products are not vulnerable to this issue. |> |>Compaq Computer Corporation |> |> SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary |> of Hewlett-Packard Company and Hewlett-Packard Company HP |> Services Software Security Response Team |> x-ref: SSRT2300 php post requests |> At the time of writing this document, Compaq is currently |> investigating the potential impact to Compaq's released |> Operating System software products. |> As further information becomes available Compaq will provide |> notice of the availability of any necessary patches through |> standard security bulletin announcements and be available from |> your normal HP Services supportchannel. |> |>Cray Inc. |> |> Cray, Inc. does not supply PHP on any of its systems. |> |>Debian |> |> Debian GNU/Linux stable aka 3.0 is not vulnerable. |> Debian GNU/Linux testing is not vulnerable. |> Debian GNU/Linux unstable is vulnerable. |> The problem effects PHP versions 4.2.0 and 4.2.1. Woody ships |> an older version of PHP (4.1.2), that doesn't contain the |> vulnerable function. |> |>FreeBSD |> |> FreeBSD does not include any version of PHP by default, and so |> is not vulnerable; however, the FreeBSD Ports Collection does |> contain the PHP4 package. Updates to the PHP4 package are in |> progress and a corrected package will be available in the near |> future. |> |>Guardian Digital |> |> Guardian Digital has not shipped PHP 4.2.x in any versions of |> EnGarde, therefore we are not believed to be vulnerable at this |> time. |> |>Hewlett-Packard Company |> |> SOURCE: Hewlett-Packard Company Security Response Team |> At the time of writing this document, Hewlett Packard is |> currently investigating the potential impact to HP's released |> Operating System software products. |> As further information becomes available HP will provide notice |> of the availability of any necessary patches through standard |> security bulletin announcements and be available from your |> normal HP Services support channel. |> |>IBM |> |> IBM is not vulnerable to the above vulnerabilities in PHP. We |> do supply the PHP packages for AIX through the AIX Toolbox for |> Linux Applications. However, these packages are at 4.0.6 and |> also incorporate the security patch from 2/27/2002. |> |>Mandrakesoft |> |> Mandrake Linux does not ship with PHP version 4.2.x and as such |> is not vulnerable. The Mandrake Linux cooker does currently |> contain PHP 4.2.1 and will be updated shortly, but cooker |> should not be used in a production environment and no advisory |> will be issued. |> |>Microsoft Corporation |> |> Microsoft products are not affected by the issues detailed in |> this advisory. |> |>Network Appliance |> |> No Netapp products are vulnerable to this. |> |>Red Hat Inc. |> |> None of our commercial releases ship with vulnerable versions |> of PHP (4.2.0, 4.2.1). |> |>SuSE Inc. |> |> SuSE Linux is not vulnerable to this problem, as we do not ship |> PHP 4.2.x. |> _________________________________________________________________ |> |> The CERT/CC acknowledges e-matters GmbH for discovering and reporting |> this vulnerability. |> _________________________________________________________________ |> |> Author: Ian A. Finlay. |> ______________________________________________________________________ |> |> This document is available from: |> http://www.cert.org/advisories/CA-2002-21.html |> ______________________________________________________________________ |> |>CERT/CC Contact Information |> |> Email: cert@cert.org |> Phone: +1 412-268-7090 (24-hour hotline) |> Fax: +1 412-268-6989 |> Postal address: |> CERT Coordination Center |> Software Engineering Institute |> Carnegie Mellon University |> Pittsburgh PA 15213-3890 |> U.S.A. |> |> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / |> EDT(GMT-4) Monday through Friday; they are on call for emergencies |> during other hours, on U.S. holidays, and on weekends. |> |>Using encryption |> |> We strongly urge you to encrypt sensitive information sent by email. |> Our public PGP key is available from |> http://www.cert.org/CERT_PGP.key |> |> If you prefer to use DES, please call the CERT hotline for more |> information. |> |>Getting security information |> |> CERT publications and other security information are available from |> our web site |> http://www.cert.org/ |> |> To subscribe to the CERT mailing list for advisories and bulletins, |> send email to majordomo@cert.org. Please include in the body of your |> message |> |> subscribe cert-advisory |> |> * "CERT" and "CERT Coordination Center" are registered in the U.S. |> Patent and Trademark Office. |> ______________________________________________________________________ |> |> NO WARRANTY |> Any material furnished by Carnegie Mellon University and the Software |> Engineering Institute is furnished on an "as is" basis. Carnegie |> Mellon University makes no warranties of any kind, either expressed or |> implied as to any matter including, but not limited to, warranty of |> fitness for a particular purpose or merchantability, exclusivity or |> results obtained from use of the material. Carnegie Mellon University |> does not make any warranty of any kind with respect to freedom from |> patent, trademark, or copyright infringement. |> _________________________________________________________________ |> |> Conditions for use, disclaimers, and sponsorship information |> |> Copyright 2002 Carnegie Mellon University. |> |> Revision History |>July 22, 2002: Initial release |> |> |> |> |>-----BEGIN PGP SIGNATURE----- |>Version: PGP 6.5.8 |> |>iQCVAwUBPTyOVqCVPMXQI2HJAQGK6QQAp1rR7K18PNxpQZvqKPYWxyrtpiT8mmKN |>UuyERmOoX+5MAwH0hbAWCvVcyLH0gKGbTpBkRgToT8IEHZojwHCzqOaMM9kni/FG |>QEVeznLfBX4GIgZGPu0XWlph3ZqaayWln57eGueYZ26zBuriIUu2cUCmyYGQkqlI |>tuZdnDqUmR0= |>=+829 |>-----END PGP SIGNATURE----- |> | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-questions" in the body of the message | | - -- - -Jason Porter "Real programmers are secure enough to write readable code, which they then self-righteously refuse to explain." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9PaErYV2rputn/eARAotHAJ0QvP/EfphY18HaT1HRCDwpGT2pqwCfX036 9yX+r2APVOWT2SGJtS9Lfr8= =5rw1 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D3DA12C.30001>