Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
PHP Exploit
Paul.Tinsley at phyve
Jul 22, 2002, 12:44 PM
Post #1 of 5 (1094 views)
Permalink
Sorry if this was already posted but, this is a serious vulnerability given
the wide spread use of PHP, and the plenty of people that have it on by
default that don't actually use it.

For those that are familiar with http://www.apachetoolbox.com, a build tool
for apache, It was patched at 8:46 this morning:

v1.5.59 07/22/02
PDFLib patch sent in by Dominique Massonie. Updated PHP
to v4.2.2.

Venerability Text from PHP site:

http://www.php.net/release_4_2_2.php

Issued on: July 22, 2002
Software: PHP versions 4.2.0 and 4.2.1
Platforms: All


The PHP Group has learned of a serious security vulnerability in PHP
versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code
with the privileges of the web server. This vulnerability may be exploited
to compromise the web server and, under certain conditions, to gain
privileged access.

Description
PHP contains code for intelligently parsing the headers of HTTP POST
requests. The code is used to differentiate between variables and files sent
by the user agent in a "multipart/form-data" request. This parser has
insufficient input checking, leading to the vulnerability.

The vulnerability is exploitable by anyone who can send HTTP POST requests
to an affected web server. Both local and remote users, even from behind
firewalls, may be able to gain privileged access.

Impact
Both local and remote users may exploit this vulnerability to compromise the
web server and, under certain conditions, to gain privileged access. So far
only the IA32 platform has been verified to be safe from the execution of
arbitrary code. The vulnerability can still be used on IA32 to crash PHP
and, in most cases, the web server.

Solution
The PHP Group has released a new PHP version, 4.2.2, which incorporates a
fix for the vulnerability. All users of affected PHP versions are encouraged
to upgrade to this latest version. The downloads web site at

http://www.php.net/downloads.php
has the new 4.2.2 source tarballs, Windows binaries and source patches from
4.2.0 and 4.2.1 available for download.

Workaround
If the PHP applications on an affected web server do not rely on HTTP POST
input from user agents, it is often possible to deny POST requests on the
web server.

In the Apache web server, for example, this is possible with the following
code included in the main configuration file or a top-level .htaccess file:

<Limit POST>
Order deny,allow
Deny from all
</Limit>

Note that an existing configuration and/or .htaccess file may have
parameters contradicting the example given above.

Credits
The PHP Group would like to thank Stefan Esser of e-matters GmbH for
discovering this vulnerability. e-matters GmbH has also released an
independent advisory, describing the vulnerability in more detail.

--
Paul Tinsley
paul.tinsley@phyve.com
Re: PHP Exploit [ In reply to ]
dotslash at snosoft
Jul 22, 2002, 11:59 AM
Post #2 of 5 (1069 views)
Permalink
Out of curriosity who did the verification that this was not exploitable
on IA32? The same guys that determined x86 apache was not exploitable?
Were a range of OS's tested or just one OS with an IA32 processor?
Should we take their word?
-KF


Paul Tinsley wrote:

>Sorry if this was already posted but, this is a serious vulnerability given
>the wide spread use of PHP, and the plenty of people that have it on by
>default that don't actually use it.
>
>For those that are familiar with http://www.apachetoolbox.com, a build tool
>for apache, It was patched at 8:46 this morning:
>
>v1.5.59 07/22/02
> PDFLib patch sent in by Dominique Massonie. Updated PHP
> to v4.2.2.
>
>Venerability Text from PHP site:
>
>http://www.php.net/release_4_2_2.php
>
>Issued on: July 22, 2002
>Software: PHP versions 4.2.0 and 4.2.1
>Platforms: All
>
>
>The PHP Group has learned of a serious security vulnerability in PHP
>versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code
>with the privileges of the web server. This vulnerability may be exploited
>to compromise the web server and, under certain conditions, to gain
>privileged access.
>
>Description
>PHP contains code for intelligently parsing the headers of HTTP POST
>requests. The code is used to differentiate between variables and files sent
>by the user agent in a "multipart/form-data" request. This parser has
>insufficient input checking, leading to the vulnerability.
>
>The vulnerability is exploitable by anyone who can send HTTP POST requests
>to an affected web server. Both local and remote users, even from behind
>firewalls, may be able to gain privileged access.
>
>Impact
>Both local and remote users may exploit this vulnerability to compromise the
>web server and, under certain conditions, to gain privileged access. So far
>only the IA32 platform has been verified to be safe from the execution of
>arbitrary code. The vulnerability can still be used on IA32 to crash PHP
>and, in most cases, the web server.
>
>Solution
>The PHP Group has released a new PHP version, 4.2.2, which incorporates a
>fix for the vulnerability. All users of affected PHP versions are encouraged
>to upgrade to this latest version. The downloads web site at
>
>http://www.php.net/downloads.php
>has the new 4.2.2 source tarballs, Windows binaries and source patches from
>4.2.0 and 4.2.1 available for download.
>
>Workaround
>If the PHP applications on an affected web server do not rely on HTTP POST
>input from user agents, it is often possible to deny POST requests on the
>web server.
>
>In the Apache web server, for example, this is possible with the following
>code included in the main configuration file or a top-level .htaccess file:
>
><Limit POST>
> Order deny,allow
> Deny from all
></Limit>
>
>Note that an existing configuration and/or .htaccess file may have
>parameters contradicting the example given above.
>
>Credits
>The PHP Group would like to thank Stefan Esser of e-matters GmbH for
>discovering this vulnerability. e-matters GmbH has also released an
>independent advisory, describing the vulnerability in more detail.
>
>--
>Paul Tinsley
>paul.tinsley@phyve.com
>_______________________________________________
>Full-Disclosure - We believe in it.
>Full-Disclosure@lists.netsys.com
>http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
>
>
Re: PHP Exploit [ In reply to ]
core at bokeoa
Jul 22, 2002, 1:06 PM
Post #3 of 5 (1068 views)
Permalink
Where's the exploit?

;)

peace,
core

Paul Tinsley wrote:
> Sorry if this was already posted but, this is a serious vulnerability given
> the wide spread use of PHP, and the plenty of people that have it on by
> default that don't actually use it.
>
> For those that are familiar with http://www.apachetoolbox.com, a build tool
> for apache, It was patched at 8:46 this morning:
>
> v1.5.59 07/22/02
> PDFLib patch sent in by Dominique Massonie. Updated PHP
> to v4.2.2.
>
> Venerability Text from PHP site:
>
> http://www.php.net/release_4_2_2.php
>
> Issued on: July 22, 2002
> Software: PHP versions 4.2.0 and 4.2.1
> Platforms: All
>
>
> The PHP Group has learned of a serious security vulnerability in PHP
> versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code
> with the privileges of the web server. This vulnerability may be exploited
> to compromise the web server and, under certain conditions, to gain
> privileged access.
>
> Description
> PHP contains code for intelligently parsing the headers of HTTP POST
> requests. The code is used to differentiate between variables and files sent
> by the user agent in a "multipart/form-data" request. This parser has
> insufficient input checking, leading to the vulnerability.
>
> The vulnerability is exploitable by anyone who can send HTTP POST requests
> to an affected web server. Both local and remote users, even from behind
> firewalls, may be able to gain privileged access.
>
> Impact
> Both local and remote users may exploit this vulnerability to compromise the
> web server and, under certain conditions, to gain privileged access. So far
> only the IA32 platform has been verified to be safe from the execution of
> arbitrary code. The vulnerability can still be used on IA32 to crash PHP
> and, in most cases, the web server.
>
> Solution
> The PHP Group has released a new PHP version, 4.2.2, which incorporates a
> fix for the vulnerability. All users of affected PHP versions are encouraged
> to upgrade to this latest version. The downloads web site at
>
> http://www.php.net/downloads.php
> has the new 4.2.2 source tarballs, Windows binaries and source patches from
> 4.2.0 and 4.2.1 available for download.
>
> Workaround
> If the PHP applications on an affected web server do not rely on HTTP POST
> input from user agents, it is often possible to deny POST requests on the
> web server.
>
> In the Apache web server, for example, this is possible with the following
> code included in the main configuration file or a top-level .htaccess file:
>
> <Limit POST>
> Order deny,allow
> Deny from all
> </Limit>
>
> Note that an existing configuration and/or .htaccess file may have
> parameters contradicting the example given above.
>
> Credits
> The PHP Group would like to thank Stefan Esser of e-matters GmbH for
> discovering this vulnerability. e-matters GmbH has also released an
> independent advisory, describing the vulnerability in more detail.
>
> --
> Paul Tinsley
> paul.tinsley@phyve.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
RE: PHP Exploit [ In reply to ]
Paul.Tinsley at phyve
Jul 22, 2002, 1:32 PM
Post #4 of 5 (1063 views)
Permalink
IMHO, any box that has an Apache web server running PHP, needs to be
updated. If you look at the comments on the IA32 platform states that it
can crash PHP and or the web server itself, still deeming it capable of a
nasty denial of service attack.

--
Paul Tinsley
paul.tinsley@phyve.com


-----Original Message-----
From: KF [mailto:dotslash@snosoft.com]
Sent: Monday, July 22, 2002 1:59 PM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] PHP Exploit

Out of curriosity who did the verification that this was not exploitable
on IA32? The same guys that determined x86 apache was not exploitable?
Were a range of OS's tested or just one OS with an IA32 processor?
Should we take their word?
-KF


Paul Tinsley wrote:

>Sorry if this was already posted but, this is a serious vulnerability given
>the wide spread use of PHP, and the plenty of people that have it on by
>default that don't actually use it.
>
>For those that are familiar with http://www.apachetoolbox.com, a build tool
>for apache, It was patched at 8:46 this morning:
>
>v1.5.59 07/22/02
> PDFLib patch sent in by Dominique Massonie. Updated PHP
> to v4.2.2.
>
>Venerability Text from PHP site:
>
>http://www.php.net/release_4_2_2.php
>
>Issued on: July 22, 2002
>Software: PHP versions 4.2.0 and 4.2.1
>Platforms: All
>
>
>The PHP Group has learned of a serious security vulnerability in PHP
>versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code
>with the privileges of the web server. This vulnerability may be exploited
>to compromise the web server and, under certain conditions, to gain
>privileged access.
>
>Description
>PHP contains code for intelligently parsing the headers of HTTP POST
>requests. The code is used to differentiate between variables and files
sent
>by the user agent in a "multipart/form-data" request. This parser has
>insufficient input checking, leading to the vulnerability.
>
>The vulnerability is exploitable by anyone who can send HTTP POST requests
>to an affected web server. Both local and remote users, even from behind
>firewalls, may be able to gain privileged access.
>
>Impact
>Both local and remote users may exploit this vulnerability to compromise
the
>web server and, under certain conditions, to gain privileged access. So far
>only the IA32 platform has been verified to be safe from the execution of
>arbitrary code. The vulnerability can still be used on IA32 to crash PHP
>and, in most cases, the web server.
>
>Solution
>The PHP Group has released a new PHP version, 4.2.2, which incorporates a
>fix for the vulnerability. All users of affected PHP versions are
encouraged
>to upgrade to this latest version. The downloads web site at
>
>http://www.php.net/downloads.php
>has the new 4.2.2 source tarballs, Windows binaries and source patches from
>4.2.0 and 4.2.1 available for download.
>
>Workaround
>If the PHP applications on an affected web server do not rely on HTTP POST
>input from user agents, it is often possible to deny POST requests on the
>web server.
>
>In the Apache web server, for example, this is possible with the following
>code included in the main configuration file or a top-level .htaccess file:

>
><Limit POST>
> Order deny,allow
> Deny from all
></Limit>
>
>Note that an existing configuration and/or .htaccess file may have
>parameters contradicting the example given above.
>
>Credits
>The PHP Group would like to thank Stefan Esser of e-matters GmbH for
>discovering this vulnerability. e-matters GmbH has also released an
>independent advisory, describing the vulnerability in more detail.
>
>--
>Paul Tinsley
>paul.tinsley@phyve.com
>_______________________________________________
>Full-Disclosure - We believe in it.
>Full-Disclosure@lists.netsys.com
>http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
>
>



_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure
Re: PHP Exploit [ In reply to ]
ulfh at Update
Jul 23, 2002, 3:27 AM
Post #5 of 5 (1073 views)
Permalink
> Description
> PHP contains code for intelligently parsing the headers of HTTP POST
> requests. The code is used to differentiate between variables and files sent
> by the user agent in a "multipart/form-data" request. This parser has
> insufficient input checking, leading to the vulnerability.

Another hole in the same part of the code as last time..

> Workaround
> If the PHP applications on an affected web server do not rely on HTTP POST
> input from user agents, it is often possible to deny POST requests on the
> web server.

Seeing as the multipart/form-data MIME type is mostly used with file uploads
(forms without file uploads usually use the application/x-www-form-urlencoded
MIME type), perhaps you could protect yourself by setting file_uploads to off
in php.ini, or maybe that doesn't work for some reason.

// Ulf Harnhammar

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal