Gentoo Archives: gentoo-user-es

From: Ferry Meyndert <m0rpheus@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-user-es] [gentoo-announce] GLSA: PHP contains a vulnerable data handler that could allow remote compromise
Date: Mon, 22 Jul 2002 10:38:04
Message-Id: 1027352465.3871.39.camel@zeus.mine.nu
1 - --------------------------------------------------------------------
2 GENTOO LINUX SECURITY ANNOUNCEMENT
3 - --------------------------------------------------------------------
4
5 PACKAGE :php,mod_php
6 SUMMARY :Vulnerable data handler
7 DATE :2002-07-22 16:51:00
8
9 - --------------------------------------------------------------------
10
11 OVERVIEW
12
13 E-matters has discovered a serious vulnerability within the default
14 version of PHP. Depending on the processor architecture it may be
15 possible for a remote attacker to either crash or compromise the web
16 server.
17
18
19 DETAIL
20
21 PHP 4.2.0 introduced a completely rewritten multipart/form-data POST
22 handler.While I was working on the code in my role as PHP developer i
23 found a bug within the way the mime headers are processed. A malformed
24 POST request can trigger an error condition, that is not correctly
25 handled. Due to this bug it could happen that an uninitialised struct
26 gets appended to the linked list of mime headers.When the lists gets
27 cleaned or destroyed PHP tries to free the pointers that are expected in
28 the struct. Because of the lack of initialisation those pointers
29 contain stuff that was left on the stack by previous function calls.
30
31 On the IA32 architecture (aka. x86) it is not possible to control what
32 will end up in the uninitialised struct because of the stack layout. All
33 possible code paths leave illegal addresses within the struct and PHP
34 will crash when it tries to free them.
35
36 Unfortunately the situation is absolutely different if you look on a
37 solaris sparc installation. Here it is possible for an attacker to free
38 chunks of memory that are full under his control. This is most probably
39 the case for several more non IA32 architectures.
40
41 Please note that exploitability is not only limited to systems that are
42 running malloc()/free() implementations that are known to be vulnerable
43 to control structure overwrites. This is because the internal PHP memory
44 managment implements its own linked list system that can be used to
45 overwrite nearly arbitrary memory addresses.
46
47
48 SOLUTION
49
50 It is recommended that all Gentoo Linux users update their systems as
51 follows.
52
53 emerge --clean rsync
54 emerge php mod_php
55 emerge clean
56
57 Manually:
58
59 Download the new php package here and follow in file instructions:
60 http://www.php.net/distributions/php-4.2.2.tar.gz
61
62 Workaround:
63
64 If the PHP applications on an affected web server do not rely on HTTP
65 POST input from user agents, it is often possible to deny POST requests
66 on the web server.
67
68 In the Apache web server, for example, this is possible with the
69 following code included in the main configuration file or a top-level
70
71 . htaccess file:
72
73 <Limit POST>
74 Order deny,allow
75 Deny from all
76
77 </Limit>
78
79 Note that an existing configuration and/or .htaccess file may have
80 parameters contradicting the example given above.
81
82 - --------------------------------------------------------------------
83 Ferry Meyndert
84 m0rpheus@g.o
85 http://www.gentoo.org/~m0rpheus
86 - --------------------------------------------------------------------
87
88
89
90
91
92
93
94
95
96 _______________________________________________
97 gentoo-announce mailing list
98 gentoo-announce@g.o
99 http://lists.gentoo.org/mailman/listinfo/gentoo-announce