Flaws Found in PHP Leave Web Servers Open to Attack
The Computer Emergency Response Team Coordination Center (CERT/CC) Wednesday warned of multiple vulnerabilities in the PHP scripting language that allow a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim's system.
The flaws were discovered and first reported by Stefan Esser of e-matters, a member of the PHP developer team.The Computer Emergency Response Team Coordination Center (CERT/CC) Wednesday warned of multiple vulnerabilities in the PHP scripting language that allow a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim's system.
PHP is widely used in Web development and can be installed on a variety of Web servers, including Apache, IIS, Caudium, Netscape and iPlanet, and OmniHTTPd. Esser said the vulnerabilities lie in the php_mime_split function, allowing an attacker to either execute arbitrary code with the privileges of the Web server or interrupt normal operations of the Web server.
Esser said he found a number of bugs in various versions of PHP, including:
- PHP 3.0.10-3.0.18 -- a broken boundary check (which Esser noted is difficult to exploit) and an arbitrary heap overflow (easy to exploit)
- PHP 4.0.1-4.0.3pl1 -- broken boundary check (hard to exploit) and heap off by one (easy to exploit)
- PHP 4.0.2-4.0.5 -- two broken boundary checks (one easy to exploit and one hard to exploit)
- PHP 4.0.6-4.0.7RC2 -- broken boundary check (very easy to exploit)
- PHP 4.0.7RC3-4.1.1 -- broken boundary check (hard to exploit)
Esser noted that most of the vulnerabilities are exploitable only on Linux or Solaris, but said the "heap off by one" flaw is only exploitable on x86 architecture and the "arbitrary heap overflow" in PHP3 is exploitable on most operating systems and architectures, including *BSD.
PHP users can get around the flaws by upgrading to PHP version 4.1.2. If upgrading is not possible, patches for older versions are available at http://www.php.net/downloads.php.
Users of version 4.20-dev are not vulnerable to the bugs because the fileupload code was completely rewritten for that branch.
If neither upgrading nor applying a patch is possible, PHP users can avoid the vulnerabilities by disabling fileupload support. To accomplish this, edit the PHP configuration file php.ini to "file_uploads = off." This setting applies only to version 4.0.3 and above and will prevent users from using fileuploads.