[PHP] Re: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and4.2.1 From: Anil Garg (anilg <email protected>)
Date: 07/22/02

HI,

Not being an expert in php..i couldnt understand the vulnerability.
Can someone shed some light here.

Regards
anil
----- Original Message -----
From: "Marko Karppinen" <markonen <email protected>>
To: <php-general <email protected>>; "PHP-DEV" <php-dev <email protected>>;
<php-announce <email protected>>
Sent: Monday, July 22, 2002 9:49 AM
Subject: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions
4.2.0 and4.2.1

>
> PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
>
>
> Issued on: July 22, 2002
> Software: PHP versions 4.2.0 and 4.2.1
> Platforms: All
>
>
> The PHP Group has learned of a serious security vulnerability in PHP
> versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
> code with the privileges of the web server. This vulnerability may be
> exploited to compromise the web server and, under certain conditions,
> to gain privileged access.
>
>
> Description
>
> PHP contains code for intelligently parsing the headers of HTTP POST
> requests. The code is used to differentiate between variables and files
> sent by the user agent in a "multipart/form-data" request. This parser
> has insufficient input checking, leading to the vulnerability.
>
> The vulnerability is exploitable by anyone who can send HTTP POST
> requests to an affected web server. Both local and remote users, even
> from behind firewalls, may be able to gain privileged access.
>
>
> Impact
>
> Both local and remote users may exploit this vulnerability to
compromise
> the web server and, under certain conditions, to gain privileged
access.
> So far only the IA32 platform has been verified to be safe from the
> execution of arbitrary code. The vulnerability can still be used on
IA32
> to crash PHP and, in most cases, the web server.
>
>
> Solution
>
> The PHP Group has released a new PHP version, 4.2.2, which incorporates
> a fix for the vulnerability. All users of affected PHP versions are
> encouraged to upgrade to this latest version. The downloads web site at
>
> http://www.php.net/downloads.php
>
> has the new 4.2.2 source tarballs, Windows binaries and source patches
> from 4.2.0 and 4.2.1 available for download.
>
>
> Workaround
>
> If the PHP applications on an affected web server do not rely on HTTP
> POST input from user agents, it is often possible to deny POST requests
> on the web server.
>
> In the Apache web server, for example, this is possible with the
> following code included in the main configuration file or a top-level
> .htaccess file:
>
> <Limit POST>
> Order deny,allow
> Deny from all
> </Limit>
>
> Note that an existing configuration and/or .htaccess file may have
> parameters contradicting the example given above.
>
>
> Credits
>
> The PHP Group would like to thank Stefan Esser of e-matters GmbH for
> discovering this vulnerability.
>
>
> Copyright (c) 2002 The PHP Group.
>
>
>
> --
> PHP Announcements Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php