PHP powered web sites face serious vulnerabilities

[javacool]

A couple new PHP vulnerabilites are allowing crackers to exploit websites...

Article here: http://www.eweek.com/article/0,3658,...a=23361,00.asp

[javacool]

Couresty of eWeek.com:

Quote:

February 27, 2002
Crackers Exploit PHP Vulnerabilities

By *Dennis Fisher

Security researchers have found seven separate vulnerabilities in several versions of the widely used PHP scripting language and warn that crackers are circulating exploit code for at least one of the flaws.
The problem lies in the way that PHP handles multipart-data POST requests, through which users can upload files or other content to a Web server. Specifically, there are several flaws in the php_mime_split function that an attacker could use to run arbitrary code on a vulnerable server, according to a bulletin released by Stefan Esser of e-matters GmbH, of Koln, Germany, and a member of the PHP development team.

The PHP team has released an updated version of the language that fixes the security problems. PHP, which began as a project of the Apache Software Foundation, is most often used on Apache Web servers, which make up nearly 60 percent of the servers in the Internet, according to a survey by Netcraft, a U.K. security testing company. But all major Web servers support PHP, as well.

Most of the vulnerabilities are relevant only to machines running Sun Microsystems Inc.'s Solaris and various versions of Linux.

The vulnerabilities are all buffer overflows, although some are more difficult to exploit than others, according to Esser's advisory. For a full list of the flaws and the affected versions of PHP, see the advisory at http://security.e-matters.de/advisories/012002.html.

A working exploit for one of the flaws is making the rounds in the security underground and contains exploit vectors for versions of Apache running on Debian and Red Hat Inc.'s Linux distribution, according to Internet Security Systems Inc., in Atlanta.

The company says its X-Force research team has verified that the exploit works, although somewhat inconsistently.

[javacool]

Quote:

e-matters GmbH
* * * * * * * * * * * * *www.e-matters.de

* * * * * * * * * * *-= Security *Advisory =-



Advisory: Multiple Remote Vulnerabilites within PHP's fileupload code
Release Date: 2002/02/27
Last Modified: 2002/02/27
Author: Stefan Esser [s.esser@e-matters.de]

Application: PHP v3.10-v3.18, v4.0.1-v4.1.1
Severity: Several vulnerabilities in PHP's fileupload code allow remote compromise
Risk: Critical
Vendor Status: Patches Released
Reference: http://security.e-matters.de/advisories/012002.html



Overview:
* * *
* We found several flaws in the way PHP handles multipart/form-data POST
* requests. Each of the flaws could allow an attacker to execute arbitrary
* code on the victim's *system.

* * *
Details:

* PHP supports multipart/form-data POST requests (as described in RFC1867)
* known as POST fileuploads. Unfourtunately there are several flaws in the
* php_mime_split function that could be used by an attacker to execute
* arbitrary code. During our research we found out that not only PHP4 but
* also older versions from the PHP3 tree are vulnerable.
*
*
* The following is a list of bugs we found:
*
* PHP 3.10-3.18
*
* * *- broken boundary check * *(hard to exploit)
* * *- arbitrary heap overflow *(easy exploitable)
*
* PHP 4.0.1-4.0.3pl1
*
* * *- broken boundary check * *(hard to exploit)
* * *- heap off by one * * * * *(easy exploitable)
* * *
* PHP 4.0.2-4.0.5
*
* * *- 2 broken boundary checks (one very easy and one hard to exploit)
* * *
* PHP 4.0.6-4.0.7RC2
*
* * *- broken boundary check * *(very easy to exploit)
* * *
* PHP 4.0.7RC3-4.1.1
*
* * *- broken boundary check * *(hard to exploit)


* Finally I want to mention that most of these vulnerabilities are
* exploitable only on linux or solaris. But the heap off by one is only
* exploitable on x86 architecture and the arbitrary heap overflow in
* PHP3 is exploitable on most OS and architectures. (This includes *BSD)

* Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the
* described bugs because the fileupload code was completly rewritten for
* the 4.2.0 branch.
*

Proof of Concept:

* e-matters is not going to release exploits for any of the discovered
* vulnerabilities to the public.
*

Vendor Response:

* Because I am part of the php developer team there is not much I can
* write here...

* 27th February 2002 - An updated version of php and the patch for
* * * * * * * * * * * *these vulnerabilities are now available at:
* * * * * * * * * * * *http://www.php.net/downloads.php
* * * * * *

Recommendation:

* If you are running PHP 4.0.3 or above one way to workaround these
* bugs is to disable the fileupload support within your php.ini
* (file_uploads = Off) If you are running php as module keep in mind
* to restart the webserver. Anyway you should better install the
* fixed or a properly patched version to be safe.
*
*
Sidenotice:

* This advisory is so short because I don't want to give out more info
* than is needed.
*
* Users running the developer version of php (4.2.0-dev) are not
* vulnerable to these bugs because the fileupload support was completly
* rewritten for that branch.


GPG-Key:

* http://security.e-matters.de/gpg_key.asc
* *
* pub *1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
* Key fingerprint = 43DD 843C FAB9 832A E5AB *CAEB 81F2 8110 75E7 AAD6


Copyright 2002 Stefan Esser. All rights reserved.

[UNICRON]

Gee somebody must have given MS a day off and hacked someone else for a change. I wonder how well all these MS alternatives will do if put under the same scrutiny.