Related information

Multiple PHP bugs

MOPB-08-2007:PHP 4 phpinfo() XSS Vulnerability (Deja-vu)

PHP XSS exploit in phpinfo()

PHP Trans SID  XSS (Was: New php release with security fixes)

PHP 4.3.2 released

From:	PHP
Date:	22.07.2002
Subject:	Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1

  PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1


Issued on: July 22, 2002
Software:  PHP versions 4.2.0 and 4.2.1
Platforms: All


  The PHP Group has learned of a serious security vulnerability in PHP
  versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
  code with the privileges of the web server. This vulnerability may be
  exploited to compromise the web server and, under certain conditions,
  to gain privileged access.


Description

  PHP contains code for intelligently parsing the headers of HTTP POST
  requests. The code is used to differentiate between variables and files
  sent by the user agent in a "multipart/form-data" request. This parser
  has insufficient input checking, leading to the vulnerability.

  The vulnerability is exploitable by anyone who can send HTTP POST
  requests to an affected web server. Both local and remote users, even
  from behind firewalls, may be able to gain privileged access.


Impact

  Both local and remote users may exploit this vulnerability to compromise
  the web server and, under certain conditions, to gain privileged access.
  So far only the IA32 platform has been verified to be safe from the
  execution of arbitrary code. The vulnerability can still be used on IA32
  to crash PHP and, in most cases, the web server.


Solution

  The PHP Group has released a new PHP version, 4.2.2, which incorporates
  a fix for the vulnerability. All users of affected PHP versions are
  encouraged to upgrade to this latest version. The downloads web site at

     http://www.php.net/downloads.php
  
  has the new 4.2.2 source tarballs, Windows binaries and source patches
  from 4.2.0 and 4.2.1 available for download.


Workaround

  If the PHP applications on an affected web server do not rely on HTTP
  POST input from user agents, it is often possible to deny POST requests
  on the web server.

  In the Apache web server, for example, this is possible with the
  following code included in the main configuration file or a top-level
  .htaccess file:

     <Limit POST>
         Order deny,allow
         Deny from all
     </Limit>
   
  Note that an existing configuration and/or .htaccess file may have
  parameters contradicting the example given above.


Credits

  The PHP Group would like to thank Stefan Esser of e-matters GmbH for
  discovering this vulnerability.
  

Copyright (c) 2002 The PHP Group.