1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200410-04 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
http://security.gentoo.org/ |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
Severity: Normal |
11 |
Title: PHP: Memory disclosure and arbitrary location file upload |
12 |
Date: October 06, 2004 |
13 |
Bugs: #64223 |
14 |
ID: 200410-04 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
Two bugs in PHP may allow the disclosure of portions of memory and |
22 |
allow remote attackers to upload files to arbitrary locations. |
23 |
|
24 |
Background |
25 |
========== |
26 |
|
27 |
PHP is a general-purpose scripting language widely used to develop |
28 |
web-based applications. It can run inside a web server using the |
29 |
mod_php module or the CGI version of PHP, or can run stand-alone in a |
30 |
CLI. |
31 |
|
32 |
Affected packages |
33 |
================= |
34 |
|
35 |
------------------------------------------------------------------- |
36 |
Package / Vulnerable / Unaffected |
37 |
------------------------------------------------------------------- |
38 |
1 dev-php/php < 4.3.9 >= 4.3.9 |
39 |
2 dev-php/mod_php < 4.3.9 >= 4.3.9 |
40 |
3 dev-php/php-cgi < 4.3.9 >= 4.3.9 |
41 |
------------------------------------------------------------------- |
42 |
3 affected packages on all of their supported architectures. |
43 |
------------------------------------------------------------------- |
44 |
|
45 |
Description |
46 |
=========== |
47 |
|
48 |
Stefano Di Paola discovered two bugs in PHP. The first is a parse error |
49 |
in php_variables.c that could allow a remote attacker to view the |
50 |
contents of the target machine's memory. Additionally, an array |
51 |
processing error in the SAPI_POST_HANDLER_FUNC() function inside |
52 |
rfc1867.c could lead to the $_FILES array being overwritten. |
53 |
|
54 |
Impact |
55 |
====== |
56 |
|
57 |
A remote attacker could exploit the first vulnerability to view memory |
58 |
contents. On a server with a script that provides file uploads, an |
59 |
attacker could exploit the second vulnerability to upload files to an |
60 |
arbitrary location. On systems where the HTTP server is allowed to |
61 |
write in a HTTP-accessible location, this could lead to remote |
62 |
execution of arbitrary commands with the rights of the HTTP server. |
63 |
|
64 |
Workaround |
65 |
========== |
66 |
|
67 |
There is no known workaround at this time. |
68 |
|
69 |
Resolution |
70 |
========== |
71 |
|
72 |
All PHP, mod_php and php-cgi users should upgrade to the latest stable |
73 |
version: |
74 |
|
75 |
# emerge sync |
76 |
|
77 |
# emerge -pv ">=dev-php/php-4.3.9" |
78 |
# emerge ">=dev-php/php-4.3.9" |
79 |
|
80 |
# emerge -pv ">=dev-php/mod_php-4.3.9" |
81 |
# emerge ">=dev-php/mod_php-4.3.9" |
82 |
|
83 |
# emerge -pv ">=dev-php/php-cgi-4.3.9" |
84 |
# emerge ">=dev-php/php-cgi-4.3.9" |
85 |
|
86 |
References |
87 |
========== |
88 |
|
89 |
[ 1 ] Secunia Advisory |
90 |
http://secunia.com/advisories/12560/ |
91 |
[ 2 ] BugTraq post regarding the php_variables.c issue |
92 |
http://www.securityfocus.com/archive/1/375294 |
93 |
[ 3 ] BugTraq post regarding the rfc1867.c issue |
94 |
http://www.securityfocus.com/archive/1/375370 |
95 |
|
96 |
Availability |
97 |
============ |
98 |
|
99 |
This GLSA and any updates to it are available for viewing at |
100 |
the Gentoo Security Website: |
101 |
|
102 |
http://security.gentoo.org/glsa/glsa-200410-04.xml |
103 |
|
104 |
Concerns? |
105 |
========= |
106 |
|
107 |
Security is a primary focus of Gentoo Linux and ensuring the |
108 |
confidentiality and security of our users machines is of utmost |
109 |
importance to us. Any security concerns should be addressed to |
110 |
security@g.o or alternatively, you may file a bug at |
111 |
http://bugs.gentoo.org. |
112 |
|
113 |
License |
114 |
======= |
115 |
|
116 |
Copyright 2004 Gentoo Foundation, Inc; referenced text |
117 |
belongs to its owner(s). |
118 |
|
119 |
The contents of this document are licensed under the |
120 |
Creative Commons - Attribution / Share Alike license. |
121 |
|
122 |
http://creativecommons.org/licenses/by-sa/1.0 |
123 |
-----BEGIN PGP SIGNATURE----- |
124 |
Version: GnuPG v1.2.4 (Darwin) |
125 |
|
126 |
iQEVAwUBQWNIwbDO2aFJ9pv2AQJECgf7BBrP7OEsoGjgSR11YB4IFZwTXWsWUJO0 |
127 |
WGAfY2VX9ZQNPFJ90Je0Vgb/j50ZR8lfNpg4sjqw/ohouXEsGgAFhckUuVgIvUsv |
128 |
xnmLSVt+cP/w2Gku/dGtQ8yOoi3++JhbIx0UiYv8pH4GcpjOfrJDDfI/ItmQKrCe |
129 |
sGswXjuhYO1pAugzTWpouLdpCofbCqGS23VJbIP0jW6YtsMaxKdI0AteWlBDFCo5 |
130 |
0trpIZWdS5eY3wicoFG2y8Cj1zsmLhbUiY0YtYxsuQrw2vrLf6owZavUxSmrRe8R |
131 |
gSNbYNNsFT/vbfsuQcrtKCS2qI4IheK0/nZIbt9YBFEDqYH4UbUXLw== |
132 |
=Qhn7 |
133 |
-----END PGP SIGNATURE----- |