View Source

Original release date: February 27, 2002<BR>
Last revised: --<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>Web servers running PHP</LI>
</UL>


<A NAME="overview">
<H2>Overview</H2>
<P>

Multiple vulnerabilities exist in the PHP scripting language.  These
vulnerabilities could allow a remote attacker to execute arbitrary
code with the privileges of the PHP process.

</P>



<A NAME="description">
<H2>I. Description</H2>

<P>PHP is a scripting language widely used in web development. PHP can 
be installed on a variety of web servers, including Apache, IIS, 
Caudium, Netscape and iPlanet, OmniHTTPd and others. Vulnerabilities 
in the php_mime_split function may allow an intruder to execute 
arbitrary code with the privileges of the web server. For additional 
details, see
<BLOCKQUOTE>
<A HREF="http://security.e-matters.de/advisories/012002.html">http://security.e-matters.de/advisories/012002.html</A>
</BLOCKQUOTE>
 Web servers that do not have PHP installed are not affected by this 
vulnerability.  

<p>

The CERT/CC is tracking this set of vulnerabilities as <a
href="http://www.kb.cert.org/vuls/id/297363">VU#297363</a>.  At this
time, these vulnerabilities have not been assigned a CVE identifier.

</p>

<A NAME="impact">
<H2>II. Impact</H2>

<P>Intruders can execute arbitrary code with the privileges of the web 
server, or interrupt normal operations of the web server.</P>


<A NAME="solution">
<H2>III. Solution</H2>
<h4>Apply a Patch</h4>

<P>Upgrade to PHP version 4.1.2, available from
<BLOCKQUOTE>
<A HREF="http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz">http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz</A>
</BLOCKQUOTE>
If upgrading is not possible, apply patches as described at 
<a href="http://www.php.net/downloads.php">http://www.php.net/downloads.php</a>: 


<UL>
<LI>For PHP 4.10/4.11<BR>
<A HREF="http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz">http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz</A></LI>

<LI>For PHP 4.06<BR>
<A HREF="http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz">http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz</A></LI>

<LI>For PHP 3.0<BR>
<A HREF="http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz">http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz</A></LI>
</UL>

 If you are using version 4.20-dev, you are not affected by this 
vulnerability. Quoting from <A HREF="http://security.e-matters.de/advisories/012002.htm">http://security.e-matters.de/advisories/012002.htm</A>:
<BLOCKQUOTE>
"[U]sers running PHP 4.2.0-dev from cvs are not vulnerable to any of the described 
bugs because the fileupload code was completly rewritten for the 
4.2.0 branch."</BLOCKQUOTE></P>

<h4>Disable fileuploads</h4>
<P>If upgrading is not possible or a patch cannot be applied, you can 
avoid these vulnerabilities by disabling fileupload support.  Edit the PHP configuration file <FONT FACE="courier">php.ini</FONT> as follows:
<BLOCKQUOTE>
<FONT FACE="courier">file_uploads = off</FONT>
</BLOCKQUOTE>

Note that this setting only applies to version 4.0.3 and
above. However, this will prevent you from using fileuploads, which
may not be acceptable in your environment. </P>


<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history.  If
a particular vendor is not listed below, we have not received their
comments.</P>


<!-- begin vendor -->
<A NAME="php">
<H4>Apache Software Foundation</H4>
<p>

Information about this vulnerability is available from <A
HREF="http://www.php.net/">http://www.php.net</a>

</p>

<!-- end vendor -->

<!-- begin vendor -->
<A NAME="FreeBSD">
<H4>FreeBSD</H4>
<p>

FreeBSD does not include any version of PHP by default, and so is not
vulnerable. However, the FreeBSD Ports Collection does contain both
PHP3 and PHP4 packages. Updates to the PHP packages are in progress
and corrected packages will be available in the near future.


</p>

<!-- begin vendor -->
<A NAME="MandrakeSoft">
<H4>MandrakeSoft</H4>
<p>

MandrakeSoft distributes PHP in all distributions and we are
currently working on patching our versions of PHP for Linux-Mandrake
7.1 and 7.2; Mandrake Linux 8.0, 8.0/ppc, 8.1, and 8.1/ia64; Single
Network Firewall 7.2; Corporate Server 1.0.1. </p>

<p>We anticipate having the updates out by the end of the week.</p>

<!-- end vendor -->

<!-- end vendor -->

<!-- begin vendor -->
<A NAME="Microsoft">
<H4>Microsoft</H4>
<p>

We do not use PHP in any products.

</p>


<!-- begin vendor -->
<A NAME="NCSA">
<H4>NCSA</H4>
<p>
NCSA does not include PHP as an add-in or bundled component in any
products distributed.
</p>




<!-- begin vendor -->


<!-- begin vendor -->
<A NAME="Redhat">
<H4>Red Hat</H4>
<p>Red Hat was notified of this issue on 27th February 2002.  All
supported versions of Red Hat Linux ship with PHP packages that are
affected by these vulnerabilities.  We will shortly be releasing
errata packages which contain patched versions that are not
vulnerable.  The errata packages and our advisory will be available on
our web site at the URL below.  At the same time users of the Red Hat
Network will be able to update their systems to patched versions using
the up2date tool.</p>

<dl>
<dd>

<A
HREF="http://www.redhat.com/support/errata/RHSA-2002-035.html">http://www.redhat.com/support/errata/RHSA-2002-035.html</a>

</dd>
</dl>
<!-- end vendor -->


<HR NOSHADE>

<p>The CERT Coordination Center thanks Stefan Esser, upon whose
advisory this document is largely based.</p>

<P></P>

<HR NOSHADE>

<P>Author: <A HREF="mailto:cert@cert.org?subject=CA-2002-05%20Feedback%20VU%23297363">Shawn V. Hernan</A>

<hr noshade>
<p>
<A NAME="references"><H2>Appendix B. - References</H2></A>

<ol>
<LI><A HREF="http://www.kb.cert.org/vuls/id/297363">http://www.kb.cert.org/vuls/id/297363</A></LI>
<LI><A
HREF="http://security.e-matters.de/advisories/012002.html">http://security.e-matters.de/advisories/012002.html</A></LI>

<li><A href="http://www.iss.net/security_center/static/8281.php">http://www.iss.net/security_center/static/8281.php</a></li>

</ol>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2002 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
February 27, 2002:  Initial release
</PRE>