A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Waterfall_Cache has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 47

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 194

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Memcache_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 275

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Filesystem_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 440

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; APC_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 628

Flaws Found in PHP Leave Web Servers Open to Attack

Flaws Found in PHP Leave Web Servers Open to Attack

By Thor Olavsrud (Send Email)
Posted Feb 28, 2002


The Computer Emergency Response Team Coordination Center (CERT/CC) Wednesday warned of multiple vulnerabilities in the PHP scripting language that allow a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim's system.

The flaws were discovered and first reported by Stefan Esser of e-matters, a member of the PHP developer team.

The Computer Emergency Response Team Coordination Center (CERT/CC) Wednesday warned of multiple vulnerabilities in the PHP scripting language that allow a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim's system.

PHP is widely used in Web development and can be installed on a variety of Web servers, including Apache, IIS, Caudium, Netscape and iPlanet, and OmniHTTPd. Esser said the vulnerabilities lie in the php_mime_split function, allowing an attacker to either execute arbitrary code with the privileges of the Web server or interrupt normal operations of the Web server.

Esser said he found a number of bugs in various versions of PHP, including:

  • PHP 3.0.10-3.0.18 -- a broken boundary check (which Esser noted is difficult to exploit) and an arbitrary heap overflow (easy to exploit)
  • PHP 4.0.1-4.0.3pl1 -- broken boundary check (hard to exploit) and heap off by one (easy to exploit)
  • PHP 4.0.2-4.0.5 -- two broken boundary checks (one easy to exploit and one hard to exploit)
  • PHP 4.0.6-4.0.7RC2 -- broken boundary check (very easy to exploit)
  • PHP 4.0.7RC3-4.1.1 -- broken boundary check (hard to exploit)

Esser noted that most of the vulnerabilities are exploitable only on Linux or Solaris, but said the "heap off by one" flaw is only exploitable on x86 architecture and the "arbitrary heap overflow" in PHP3 is exploitable on most operating systems and architectures, including *BSD.

PHP users can get around the flaws by upgrading to PHP version 4.1.2. If upgrading is not possible, patches for older versions are available at http://www.php.net/downloads.php.

Users of version 4.20-dev are not vulnerable to the bugs because the fileupload code was completely rewritten for that branch.

If neither upgrading nor applying a patch is possible, PHP users can avoid the vulnerabilities by disabling fileupload support. To accomplish this, edit the PHP configuration file php.ini to "file_uploads = off." This setting applies only to version 4.0.3 and above and will prevent users from using fileuploads.


Related Stories:
What's New in PHP4?
Welcome to the World of PHP
An IT Manager's Take on PHP


Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date