[gentoo-announce] [ GLSA 200410-04 ] PHP: Memory disclosure and arbitrary location file upload - gentoo-announce

From:	Dan Margolis <krispykringle@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-04 ] PHP: Memory disclosure and arbitrary location file upload
Date:	Wed, 06 Oct 2004 01:24:23
Message-Id:	`416348C2.4030304@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200410-04

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: PHP: Memory disclosure and arbitrary location file upload

12

      Date: October 06, 2004

13

      Bugs: #64223

14

        ID: 200410-04

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Two bugs in PHP may allow the disclosure of portions of memory and

22

allow remote attackers to upload files to arbitrary locations.

23

24

Background

25

==========

26

27

PHP is a general-purpose scripting language widely used to develop

28

web-based applications. It can run inside a web server using the

29

mod_php module or the CGI version of PHP, or can run stand-alone in a

30

CLI.

31

32

Affected packages

33

=================

34

35

    -------------------------------------------------------------------

36

     Package          /  Vulnerable  /                      Unaffected

37

    -------------------------------------------------------------------

38

  1  dev-php/php           < 4.3.9                           >= 4.3.9

39

  2  dev-php/mod_php       < 4.3.9                            >= 4.3.9

40

  3  dev-php/php-cgi       < 4.3.9                            >= 4.3.9

41

    -------------------------------------------------------------------

42

     3 affected packages on all of their supported architectures.

43

    -------------------------------------------------------------------

44

45

Description

46

===========

47

48

Stefano Di Paola discovered two bugs in PHP. The first is a parse error

49

in php_variables.c that could allow a remote attacker to view the

50

contents of the target machine's memory. Additionally, an array

51

processing error in the SAPI_POST_HANDLER_FUNC() function inside

52

rfc1867.c could lead to the $_FILES array being overwritten.

53

54

Impact

55

======

56

57

A remote attacker could exploit the first vulnerability to view memory

58

contents. On a server with a script that provides file uploads, an

59

attacker could exploit the second vulnerability to upload files to an

60

arbitrary location. On systems where the HTTP server is allowed to

61

write in a HTTP-accessible location, this could lead to remote

62

execution of arbitrary commands with the rights of the HTTP server.

63

64

Workaround

65

==========

66

67

There is no known workaround at this time.

68

69

Resolution

70

==========

71

72

All PHP, mod_php and php-cgi users should upgrade to the latest stable

73

version:

74

75

    # emerge sync

76

77

    # emerge -pv ">=dev-php/php-4.3.9"

78

    # emerge ">=dev-php/php-4.3.9"

79

80

    # emerge -pv ">=dev-php/mod_php-4.3.9"

81

    # emerge ">=dev-php/mod_php-4.3.9"

82

83

    # emerge -pv ">=dev-php/php-cgi-4.3.9"

84

    # emerge ">=dev-php/php-cgi-4.3.9"

85

86

References

87

==========

88

89

  [ 1 ] Secunia Advisory

90

        http://secunia.com/advisories/12560/

91

  [ 2 ] BugTraq post regarding the php_variables.c issue

92

        http://www.securityfocus.com/archive/1/375294

93

  [ 3 ] BugTraq post regarding the rfc1867.c issue

94

        http://www.securityfocus.com/archive/1/375370

95

96

Availability

97

============

98

99

This GLSA and any updates to it are available for viewing at

100

the Gentoo Security Website:

101

102

  http://security.gentoo.org/glsa/glsa-200410-04.xml

103

104

Concerns?

105

=========

106

107

Security is a primary focus of Gentoo Linux and ensuring the

108

confidentiality and security of our users machines is of utmost

109

importance to us. Any security concerns should be addressed to

110

security@g.o or alternatively, you may file a bug at

111

http://bugs.gentoo.org.

112

113

License

114

=======

115

116

Copyright 2004 Gentoo Foundation, Inc; referenced text

117

belongs to its owner(s).

118

119

The contents of this document are licensed under the

120

Creative Commons - Attribution / Share Alike license.

121

122

http://creativecommons.org/licenses/by-sa/1.0

123

-----BEGIN PGP SIGNATURE-----

124

Version: GnuPG v1.2.4 (Darwin)

125

126

iQEVAwUBQWNIwbDO2aFJ9pv2AQJECgf7BBrP7OEsoGjgSR11YB4IFZwTXWsWUJO0

127

WGAfY2VX9ZQNPFJ90Je0Vgb/j50ZR8lfNpg4sjqw/ohouXEsGgAFhckUuVgIvUsv

128

xnmLSVt+cP/w2Gku/dGtQ8yOoi3++JhbIx0UiYv8pH4GcpjOfrJDDfI/ItmQKrCe

129

sGswXjuhYO1pAugzTWpouLdpCofbCqGS23VJbIP0jW6YtsMaxKdI0AteWlBDFCo5

130

0trpIZWdS5eY3wicoFG2y8Cj1zsmLhbUiY0YtYxsuQrw2vrLf6owZavUxSmrRe8R

131

gSNbYNNsFT/vbfsuQcrtKCS2qI4IheK0/nZIbt9YBFEDqYH4UbUXLw==

132

=Qhn7

133

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200410-04
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: PHP: Memory disclosure and arbitrary location file upload
12	Date: October 06, 2004
13	Bugs: #64223
14	ID: 200410-04
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Two bugs in PHP may allow the disclosure of portions of memory and
22	allow remote attackers to upload files to arbitrary locations.
23
24	Background
25	==========
26
27	PHP is a general-purpose scripting language widely used to develop
28	web-based applications. It can run inside a web server using the
29	mod_php module or the CGI version of PHP, or can run stand-alone in a
30	CLI.
31
32	Affected packages
33	=================
34
35	-------------------------------------------------------------------
36	Package / Vulnerable / Unaffected
37	-------------------------------------------------------------------
38	1 dev-php/php < 4.3.9 >= 4.3.9
39	2 dev-php/mod_php < 4.3.9 >= 4.3.9
40	3 dev-php/php-cgi < 4.3.9 >= 4.3.9
41	-------------------------------------------------------------------
42	3 affected packages on all of their supported architectures.
43	-------------------------------------------------------------------
44
45	Description
46	===========
47
48	Stefano Di Paola discovered two bugs in PHP. The first is a parse error
49	in php_variables.c that could allow a remote attacker to view the
50	contents of the target machine's memory. Additionally, an array
51	processing error in the SAPI_POST_HANDLER_FUNC() function inside
52	rfc1867.c could lead to the $_FILES array being overwritten.
53
54	Impact
55	======
56
57	A remote attacker could exploit the first vulnerability to view memory
58	contents. On a server with a script that provides file uploads, an
59	attacker could exploit the second vulnerability to upload files to an
60	arbitrary location. On systems where the HTTP server is allowed to
61	write in a HTTP-accessible location, this could lead to remote
62	execution of arbitrary commands with the rights of the HTTP server.
63
64	Workaround
65	==========
66
67	There is no known workaround at this time.
68
69	Resolution
70	==========
71
72	All PHP, mod_php and php-cgi users should upgrade to the latest stable
73	version:
74
75	# emerge sync
76
77	# emerge -pv ">=dev-php/php-4.3.9"
78	# emerge ">=dev-php/php-4.3.9"
79
80	# emerge -pv ">=dev-php/mod_php-4.3.9"
81	# emerge ">=dev-php/mod_php-4.3.9"
82
83	# emerge -pv ">=dev-php/php-cgi-4.3.9"
84	# emerge ">=dev-php/php-cgi-4.3.9"
85
86	References
87	==========
88
89	[ 1 ] Secunia Advisory
90	http://secunia.com/advisories/12560/
91	[ 2 ] BugTraq post regarding the php_variables.c issue
92	http://www.securityfocus.com/archive/1/375294
93	[ 3 ] BugTraq post regarding the rfc1867.c issue
94	http://www.securityfocus.com/archive/1/375370
95
96	Availability
97	============
98
99	This GLSA and any updates to it are available for viewing at
100	the Gentoo Security Website:
101
102	http://security.gentoo.org/glsa/glsa-200410-04.xml
103
104	Concerns?
105	=========
106
107	Security is a primary focus of Gentoo Linux and ensuring the
108	confidentiality and security of our users machines is of utmost
109	importance to us. Any security concerns should be addressed to
110	security@g.o or alternatively, you may file a bug at
111	http://bugs.gentoo.org.
112
113	License
114	=======
115
116	Copyright 2004 Gentoo Foundation, Inc; referenced text
117	belongs to its owner(s).
118
119	The contents of this document are licensed under the
120	Creative Commons - Attribution / Share Alike license.
121
122	http://creativecommons.org/licenses/by-sa/1.0
123	-----BEGIN PGP SIGNATURE-----
124	Version: GnuPG v1.2.4 (Darwin)
125
126	iQEVAwUBQWNIwbDO2aFJ9pv2AQJECgf7BBrP7OEsoGjgSR11YB4IFZwTXWsWUJO0
127	WGAfY2VX9ZQNPFJ90Je0Vgb/j50ZR8lfNpg4sjqw/ohouXEsGgAFhckUuVgIvUsv
128	xnmLSVt+cP/w2Gku/dGtQ8yOoi3++JhbIx0UiYv8pH4GcpjOfrJDDfI/ItmQKrCe
129	sGswXjuhYO1pAugzTWpouLdpCofbCqGS23VJbIP0jW6YtsMaxKdI0AteWlBDFCo5
130	0trpIZWdS5eY3wicoFG2y8Cj1zsmLhbUiY0YtYxsuQrw2vrLf6owZavUxSmrRe8R
131	gSNbYNNsFT/vbfsuQcrtKCS2qI4IheK0/nZIbt9YBFEDqYH4UbUXLw==
132	=Qhn7
133	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce