SecuriTeam - Multiple Remote Vulnerabilities in PHP's Fileupload Code

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

e-Matters found several flaws in the way PHP handles multipart/form-data POST requests. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.

Credit:
The information has been provided by E-Matters.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
PHP v3.10-v3.18, v4.0.1-v4.1.1

PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfortunately, there are several flaws in the php_mime_split function that could be used by an attacker to execute arbitrary code. During e-Matters' research, they have found out that not only PHP4 but also older versions from the PHP3 tree are vulnerable.

The following is a list of bugs we found:

PHP 3.10-3.18
- Broken boundary check (hard to exploit)
- Arbitrary heap overflow (easy exploitable)

PHP 4.0.1-4.0.3pl1
- Broken boundary check (hard to exploit)
- Heap off by one (easy exploitable)

PHP 4.0.2-4.0.5
- 2 broken boundary checks (one very easy and one hard to exploit)

PHP 4.0.6-4.0.7RC2
- Broken boundary check (very easy to exploit)

PHP 4.0.7RC3-4.1.1
- Broken boundary check (hard to exploit)

Finally, e-Matters mentions that most of these vulnerabilities are exploitable only on Linux or Solaris. However, the heap off by one is only exploitable on x86 architecture and the arbitrary heap overflow in PHP3 is exploitable on most OS and architectures. (This includes *BSD)

Users running PHP 4.2.0-dev from CVS are not vulnerable to any of the described bugs because the fileupload code was completely rewritten for the 4.2.0 branch.

Vendor response:
27 February 2002 An updated version of PHP and the patch for these vulnerabilities are now available at: http://www.php.net/downloads.php

Recommendation:
If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running PHP as module keep in mind to restart the web server. Anyway, you should better install the fixed or a properly patched version to be safe.

	Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
	Microsoft Virtual PC Hypervisor Memory Protection Vulnerability
	Apple WebKit HTML Element Use After Free Vulnerability
	Apple WebKit CSS Run-in Attribute Rendering Vulnerability
	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability