Original release date: July 22, 2002<br>
Last revised: Thu Jul 25 09:23:27 EDT 2002<br>
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>


<br>
<a name="affected"></a>
<h3>Systems Affected</h3>
<ul>
<li>Systems running PHP versions 4.2.0 or 4.2.1</li>
</ul>


<br>
<a name="overview"></a>
<h2>Overview</h2>
<p>
A vulnerability has been discovered in PHP. This vulnerability could
be used by a remote attacker to execute arbitrary code or crash PHP
and/or the web server.
</p>

<br>
<a name="description"></a>
<h2>I. Description</h2>
<p>

PHP is a popular scripting language in widespread use. For more
information about PHP, see 
<dl>
<dd>
<a href="http://www.php.net/manual/en/faq.general.php">http://www.php.net/manual/en/faq.general.php</a>
<br>
</p>
</dd>
</dl>
</p>

<p>
The vulnerability occurs in the portion of PHP code responsible for
handling file uploads, specifically multipart/form-data. By sending a
specially crafted POST request to the web server, an attacker can
corrupt the internal data structures used by PHP. Specifically, an
intruder can cause an improperly initialized memory structure to be
freed. In most cases, an intruder can use this flaw to crash PHP or
the web server. Under some circumstances, an intruder may be able to
take advantage of this flaw to execute arbitrary code with the
privileges of the web server.</p>

<p>You may be aware that freeing memory at inappropriate times in some
implementations of malloc and free does not usually result in the
execution of arbitrary code. However, because PHP utilizes its own
memory management system, the implementation of malloc and free is
irrelevant to this problem.


<p>Stefan Esser of e-matters GmbH has indicated that intruders
<i>cannot</i> execute code on x86 systems. However, we encourage
system administrators to apply patches on x86 systems as well to guard
against denial-of-service attacks and as-yet-unknown attack techniques
that may permit the execution of code on x86 architectures. </p>


<p>
This vulnerability was discovered by e-matters GmbH and is described
in detail in their <a
href="http://security.e-matters.de/advisories/022002.html">advisory</a>. The
PHP Group has also issued an <a
href="http://www.php.net/release_4_2_2.php">advisory</a>. A list of
vendors contacted by the CERT/CC and their status regarding this
vulnerability is available in <a
href="http://www.kb.cert.org/vuls/id/929115">VU#929115</a>.
</p>

<p>
Although this vulnerability only affects PHP 4.2.0 and 4.2.1,
e-matters GmbH has previously identified vulnerabilities in older
versions of PHP. If you are running older versions of PHP, we
encourage you to review <a
href="http://security.e-matters.de/advisories/012002.html">http://security.e-matters.de/advisories/012002.html</a>
</p>
<br>

<a name="impact"></a>
<h2>II. Impact</h2>

A remote attacker can execute arbitrary code on a vulnerable
system. An attacker may not be able to execute code on x86
architectures due to the way the stack is structured. However, an
attacker can leverage this vulnerability to crash PHP and/or the web
server running on an x86 architecture.

<br>
<a name="solution"></a>
<h2>III. Solution</h2>

<h4>Apply a patch from your vendor</h4>

<p>
<a href="#vendors">Appendix A</a> contains information provided by
vendors for this advisory.  As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history.  If a particular vendor is not listed below, we have not received
their comments.  Please contact your vendor directly.
</p>

<h4>Upgrade to the latest version of PHP</h4>

If a patch is not available from your vendor, <a
href="http://www.php.net/downloads.php">upgrade</a> to version 4.2.2.


<H4>Deny POST requests</H4>
<p>
Until patches or an update can be applied, you may wish to deny POST
requests. The following workaround is taken from the <a
href="http://www.php.net/release_4_2_2.php"> PHP Security
Advisory</a>:
</p>
<p>
<blockquote>
If the PHP applications on an affected web server do not rely on
HTTP POST input from user agents, it is often possible to deny POST
requests on the web server.</p>
<p>
In the Apache web server, for example, this is possible with the
following code included in the main configuration file or a top-level
.htaccess file:</p>
<p><font face="courier"><small>
&lt;Limit POST&gt;<br>
&nbsp;&nbsp;&nbsp;Order deny,allow<br>
&nbsp;&nbsp;&nbsp;Deny from all<br>
&lt;/Limit&gt;
<p></small></font>
Note that an existing configuration and/or .htaccess file may have
parameters contradicting the example given above.
</blockquote>

<H4>Disable vulnerable service</H4>
<p>
Until you can upgrade or apply patches, you may wish to disable PHP.
As a best practice, the CERT/CC recommends disabling all services that
are not explicitly required. Before deciding to disable PHP, carefully
consider your service requirements.
</p>

<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

<p>
This appendix contains information provided by vendors for this
advisory.  As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history.  If a
particular vendor is not listed below, we have not received their
comments.
</p>

<a name="apple"></a>
<h4>Apple Computer Inc.</h4>
<dl>
<dd>
<p>
Mac OS X and Mac OS X Server are shipping with PHP version 4.1.2 which
does not contain the vulnerability described in this alert.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="caldera"></a>
<h4>Caldera</h4>
<dl>
<dd>
<p>
Caldera OpenLinux does not provide either vulnerable version (4.2.0,
4.2.1) of PHP in their products. Therefore, Caldera products are not
vulnerable to this issue.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="compaq"></a>
<h4>Compaq Computer Corporation</h4>
<dl>
<dd>
<p>
We have verified that this problem is not present on our distributions
for HP Tru64 UNIX or HP OpenVMS products.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="conectiva"></a>
<h4>Conectiva</h4>
<dl>
<dd>
<p>
PHP 4.2.x is not shipped with Conectiva Linux.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="cray"></a>
<h4>Cray Inc.</h4>
<dl>
<dd>
<p>
Cray, Inc. does not supply PHP on any of its systems.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="debian"></a>
<h4>Debian</h4>
<dl>
<dd>
<p>
Debian GNU/Linux stable aka 3.0 is not vulnerable.<br>
Debian GNU/Linux testing is not vulnerable.<br>
Debian GNU/Linux unstable is vulnerable.<br>
<br>
The problem effects PHP versions 4.2.0 and 4.2.1. Woody ships an older version
of PHP (4.1.2), that doesn't contain the vulnerable function.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="f5networks"></a>
<h4>F5 Networks, Inc.</h4>
<dl>
<dd>
<p>
F5 Networks products do not include PHP 4.2.0 or 4.2.1, and are
therefore not affected by this vulnerability.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="freebsd"></a>
<h4>FreeBSD</h4>
<dl>
<dd>
<p>
FreeBSD does not include any version of PHP by default, and so is not
vulnerable; however, the FreeBSD Ports Collection does contain the
PHP4 package. Updates to the PHP4 package are in progress and a
corrected package will be available in the near future.
</p>
</dd>
</dl>
<!-- end vendor -->



<a name="guardian"></a>
<h4>Guardian Digital</h4>
<dl>
<dd>
<p>
Guardian Digital has not shipped PHP 4.2.x in any versions of EnGarde,
therefore we are not believed to be vulnerable at this time.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="hp"></a>
<h4>Hewlett-Packard Company</h4>
<dl>
<dd>
<p>
SOURCE:&nbsp; Hewlett-Packard Company Security Response Team<br>
<br>
At the time of writing this document, Hewlett Packard is currently investigating
the potential impact to HP's released Operating System software products.
<br>
<br>
As further information becomes available HP will provide notice of the availability
of any necessary patches through standard security bulletin announcements
and be available from your normal HP Services support channel.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="ibm"></a>
<h4>IBM</h4>
<dl>
<dd>
<p>
IBM is not vulnerable to the above vulnerabilities in PHP. We do
supply the PHP packages for AIX through the AIX Toolbox for Linux
Applications. However, these packages are at 4.0.6 and also
incorporate the security patch from 2/27/2002.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="mandrakesoft"></a>
<h4>Mandrakesoft</h4>
<dl>
<dd>
<p>
Mandrake Linux does not ship with PHP version 4.2.x and as such is not
vulnerable.  The Mandrake Linux cooker does currently contain PHP
4.2.1 and will be updated shortly, but cooker should not be used in a
production environment and no advisory will be issued.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="microsoft"></a>
<h4>Microsoft Corporation</h4>
<dl>
<dd>
<p>
Microsoft products are not affected by the issues detailed in this
advisory.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="networkappliance"></a>
<h4>Network Appliance</h4>
<dl>
<dd>
<p>
No Netapp products are vulnerable to this.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="redhat"></a>
<h4>Red Hat Inc.</h4>
<dl>
<dd>
<p>
None of our commercial releases ship with vulnerable versions of PHP
(4.2.0, 4.2.1).
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="sgi"></a>
<h4>SGI</h4>
<dl>
<dd>
<p>
SGI acknowledges the PHP vulnerabilitity reported by CERT and is
currently investigating.  PHP does not currently ship as part of IRIX
so SGI can confirm that base IRIX is not vulnerable. No further
information is available at this time.<br><br>
For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems.  Until SGI
has more definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements.  As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list on
http://www.sgi.com/support/security/.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="suse"></a>
<h4>SuSE Inc.</h4>
<dl>
<dd>
<p>
SuSE Linux is not vulnerable to this problem, as we do not ship PHP
4.2.x.
</p>
</dd>
</dl>
<!-- end vendor -->

<a name="trustix"></a>
<h4>Trustix</h4>
<dl>
<dd>
<p>
The TSL team states that none of the versions of the Trustix Secure
Linux distribution is vulnerable to the php 4.2.{0,1} vulnerability
(CA-2002-21) as none of the TSL versions is shipped with php 4.2.x.
</p>
</dd>
</dl>
<!-- end vendor -->


<hr noshade>

<p>
The CERT/CC acknowledges e-matters GmbH for discovering and reporting
this vulnerability.
</p>

<p></p>

<hr noshade>

<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2002-21%20Feedback%20%5bVU%23929115%5d">Ian
A. Finlay</a>.
<p></p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
July 22, 2002: Initial release
July 23, 2002: Added vendor statement for F5 Networks, Inc.
July 23, 2002: Added vendor statement for Conectiva
July 24, 2002: Added vendor statement for Trustix
July 24, 2002: Added vendor statement for SGI
July 25, 2002: Updated vendor statement for Compaq Computer Corporation
</pre>
</p>