ISS X-Force Database: php-file-upload-overflow(8281): PHP multiple HTTP POST file upload overflows

PHP multiple HTTP POST file upload overflows

php-file-upload-overflow (8281)

High Risk

Description:

PHP is vulnerable to several buffer overflow vulnerabilities in the handling of file uploads. By using the HTTP POST method to upload a PHP form containing specially-crafted MIME-encoded data, a remote attacker can overflow a buffer and execute arbitrary code on the Web server with elevated privileges.

Platforms Affected:

Conectiva, Linux 5.0
Conectiva, Linux 5.1
Conectiva, Linux 6.0
Conectiva, Linux 7.0
Conectiva, Linux ecommerce
Conectiva, Linux prg_graficos
Debian, Debian Linux 2.2
EngardeLinux, Secure Community 1.0.1
MandrakeSoft, Mandrake Linux 7.1
MandrakeSoft, Mandrake Linux 7.2
MandrakeSoft, Mandrake Linux 8.0
MandrakeSoft, Mandrake Linux 8.1
MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
MandrakeSoft, Mandrake Single Network Firewall 7.2
PHP, PHP 3.0.10
PHP, PHP 3.0.11
PHP, PHP 3.0.12
PHP, PHP 3.0.13
PHP, PHP 3.0.14
PHP, PHP 3.0.15
PHP, PHP 3.0.16
PHP, PHP 3.0.17
PHP, PHP 3.0.18
PHP, PHP 4.0 Beta 4 Patch1
PHP, PHP 4.0 Beta1
PHP, PHP 4.0 Beta2
PHP, PHP 4.0 Beta3
PHP, PHP 4.0 Beta4
PHP, PHP 4.0 RC1
PHP, PHP 4.0 RC2
PHP, PHP 4.0.0
PHP, PHP 4.0.1
PHP, PHP 4.0.2
PHP, PHP 4.0.3
PHP, PHP 4.0.4
PHP, PHP 4.0.5
PHP, PHP 4.0.6
PHP, PHP 4.0.7
PHP, PHP 4.1.0
PHP, PHP 4.1.1
RedHat, Linux 6.2
RedHat, Linux 7
RedHat, Linux 7.1
RedHat, Linux 7.2
RedHat, Linux 7.3
SCO, Caldera OpenLinux Server 3.1
SCO, Caldera OpenLinux Server 3.1.1
SCO, Caldera OpenLinux Workstation 3.1
SCO, Caldera OpenLinux Workstation 3.1.1
SuSE, SuSE Linux 6.4
SuSE, SuSE Linux 7.0
SuSE, SuSE Linux 7.1
SuSE, SuSE Linux 7.2
SuSE, SuSE Linux 7.3
Trustix, Secure Linux 1.1
Trustix, Secure Linux 1.2
Trustix, Secure Linux 1.5

Remedy:

Upgrade to the latest version of PHP (4.1.2 or later) or apply the appropriate security fix for your PHP version, available from the PHP Group Web site. See References.

As a workaround, refer to the recommendation listed in Internet Security Systems Security Alert #112. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of PHP (3.0.18-8 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:035-18. See References.

For Red Hat Linux 7.0:
Upgrade to the latest version of PHP (4.0.6-13 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:035-18. See References.

For Red Hat Linux 7.1:
Upgrade to the latest version of PHP (4.0.6-14 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:035-18. See References.

For Red Hat Linux 7.2:
Upgrade to the latest version of PHP (4.0.6-15 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:035-18. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of PHP (4.0.6-5.8mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:017 : php. See References.

For Mandrake Linux 7.2:
Upgrade to the latest version of PHP (4.0.6-5.7mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:017 : php. See References.

For Mandrake Linux 8.0:
Upgrade to the latest version of PHP (4.0.6-5.6mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:017 : php. See References.

For Mandrake Linux 8.1:
Upgrade to the latest version of PHP (4.0.6-5.5mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:017 : php. See References.

For Mandrake Single Network Firewall 7.2:
Upgrade to the latest version of PHP (4.0.4pl1-4.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:017 : php. See References.

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of PHP3 (3.0.18-0potato1.1 or later) or PHP4 (4.0.3pl1-0potato3 or later), as listed in DSA 115-1. See References.

For EnGarde Secure Linux 1.0.1 (Finestra):
Upgrade to the latest version of php (4.0.6-1.0.18 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20020301-006. See References.

For SuSE Linux 6.4, 7.0, 7.1, 7.2, and 7.2 (all platforms):
Upgrade to the latest version of mod_php or mod_php4, as listed in SuSE Security Announcement SuSE-SA:2002:007. See References.

For Trustix Secure Linux 1.1 and 1.2:
Upgrade to the latest version of mod_php3 (3.0.18-1tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0033. See References.

For Trustix Secure Linux 1.5:
Upgrade to the latest version of mod_php4 (4.0.6-8tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0033. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Server and Workstation):
Upgrade to the latest version of php (4.0.6-3.2 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-023.0. See References.

For Conectiva Linux 5.0, prg graficos and ecommerce:
Upgrade to the latest package of php (3.0.18-6U50_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:468. See References.

For Conectiva Linux 5.1:
Upgrade to the latest package of php (3.0.18-6U51_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:468. See References.

For Conectiva Linux 6.0:
Upgrade to the latest package of php (3.0.18-9U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:468. See References.

For Conectiva Linux 7.0:
Upgrade to the latest package of php (4.1.1-1U70_4cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:468. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

BugTraq Mailing List, Mon Mar 04 2002 - 16:18:42 CST, Apache+php Proof of Concept Exploit at http://archives.neohapsis.com/archives/bugtraq/2002-03/0040.html.
Caldera International, Inc. Security Advisory CSSA-2002-023.0, Linux: PHP multipart/form-data vulnerabilities at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-023.0.txt.
CERT Advisory CA-2002-05, Multiple Vulnerabilities in PHP fileupload at http://www.cert.org/advisories/CA-2002-05.html.
CIAC Information Bulletin M-049, Multiple PHP Vulnerabilities at http://www.ciac.org/ciac/bulletins/m-049.shtml.
Conectiva Linux Announcement CLSA-2002:468, php at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000468.
e-matters Security Advisory 01/2002, PHP remote vulnerabilities at http://security.e-matters.de/advisories/012002.html.
EnGarde Secure Linux Security Advisory ESA-20020301-006, Several flaws in PHP's MIME parsing. at http://www.linuxsecurity.com/content/view/103701/109/.
Internet Security Systems Security Alert #112, Multiple PHP Vulnerabilities: Remote Compromise Exploit in Circulation at http://xforce.iss.net/xforce/alerts/id/advise112.
The PHP Group Web site, PHP: Downloads at http://www.php.net/downloads.php.
Trustix Secure Linux Security Advisory #2002-0033, mod_php{3,4} at http://www.trustix.net/errata/2002/0033/.
BID-4183: PHP Post File Upload Buffer Overflow Vulnerabilities
CVE-2002-0081: Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled.
DSA-115: php -- broken boundary check and more
MDKSA-2002:017: Updated php packages fix file upload vulnerability
OpenPKG-SA-2002.001: PHP
RHSA-2002-035: Updated PHP packages are available [updated 2002-Mar-11]
US-CERT VU#297363: PHP contains vulnerability in php_mime_split function allowing arbitrary code execution

Reported:

Feb 27, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page