|
|
|
|
| |
| As we reported in our previous advisory: PHP Security Vulnerability in Multipart FORM Data Handling, a security vulnerability in PHP would allow attackers to cause the product to execute arbitrary code. |
| |
Credit:
The information has been provided by e-matters Security.
|
| |
Vulnerable systems:
* PHP version 4.2.0
* PHP version 4.2.1
Immune systems:
* PHP version 4.2.2
PHP 4.2.0 introduced a completely rewritten multipart/form-data POST handler. A malformed POST request can trigger an error condition that is not correctly handled. Due to this bug, it could happen that an uninitialised struct is appended to a linked list of mime headers. When the list is cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialization, these pointers contain stuff that was left on the stack by previous function calls.
On the IA32 architecture (a.k.a. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them.
Unfortunately, the situation is different if you look on a Solaris Sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non-IA32 architectures.
Please note that exploitability is not only limited to systems that are running malloc()/free() implementations that are known to be vulnerable to control structure overwrites. This is because the internal PHP memory management implements its own linked list system that can be used to overwrite nearly arbitrary memory addresses.
Recommendation:
If you are running PHP 4.2.x, you should upgrade as soon as possible, especially if your server runs on a non IA32 CPU. If you cannot upgrade for whatever reason the only way to workaround this, is to disable all kinds of POST requests on your server.
|
|
|
|
|
|
|
