Date: 23 July 2002
References: ESB-2002.356 ESB-2002.367 ESB-2002.420
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.08 -- AUSCERT ALERT
Remote Compromise/Denial of Service Vulnerability in PHP
23 July 2002
===========================================================================
PROBLEM:
A flaw has been found in PHP's HTTP POST request parser that may
allow a local or remote user to corrupt the program stack, leading
to either a denial of service (DoS) or the execution of code of
the attacker's choice, which may in turn lead to a root or
Administrator compromise.
The flaw may be exploited via normal HTTP traffic, so standard
firewalls would be ineffective in stopping an exploit.
AusCERT is not aware of any exploit activity against this flaw at
this time, but urges site administrators to follow the corrective
measures in this alert as soon as possible.
PLATFORM:
All platforms supported by PHP are vulnerable. Intel's 32-bit x86
architecture is not vulnerable to execution of arbitrary code,
due to the fact that its program stack is not controllable by the
remote user, but is vulnerable to denial of service attack.
IMPACT:
An attacker using this vulnerability may cause a Denial of Service
or, on architectures other than Intel's x86, allow code or commands
of the attacker's choice to be run with the privileges of the web
server. This may lead to root or Administrator compromise.
MITIGATION:
Patches have been released for this vulnerability, and it is
recommended that vulnerable systems should be upgraded to PHP
4.2.2 as soon as possible. Patches, binaries and source for PHP
4.2.2 can be found at:
http://www.php.net/downloads.php
As a workaround you may be able to disable HTTP POST input within
your web server as the vulnerability is confined to the HTTP POST
parsing section of PHP. Note that if your web site depends on POST
requests this will cause it to fail and you have no other choice
but to install the patches mentioned above. This workaround should
only be considered as a temporary measure; AusCERT recommends
upgrading to PHP 4.2.2 as the only long-term solution.
To disable HTTP POST input in Apache, you should put the following
in the main configuration file or a top-level .htaccess file:
<Limit POST>
Order deny,allow
Deny from all
</Limit>
More information on this vulnerability can be found at:
PHP Security Advisory
http://www.php.net/release_4_2_2.php
e-matters Security Advisory
http://security.e-matters.de/advisories/022002.html
ISS XForce Advisory
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20747
AusCERT will continue to monitor this issue, and provide more
information as it becomes available.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPUejgih9+71yA2DNAQECwAP/UbMpBAASerraJNDZ9p0nwCfmOiF0xnNA
jv4Uw9MbtAl05VJ4hsdW1GX/En1arl0k8RjSnqYaZng5dE/QlZMGp3V0abb/waDZ
83+u/ftQUIP0ABim+F5CwNg782DJZiSOF3lDcIEtqtJVP33x88lhi0rsIlTTuDK+
BJcf766T3YY=
=JAQI
-----END PGP SIGNATURE-----
|