Vulnerability Note VU#929115

PHP fails to properly parse the headers of HTTP POST requests

Overview

A vulnerability has been discovered in PHP. This vulnerability could be used by a remote attacker to execute arbitrary code or crash PHP and/or the web server.

I. Description

PHP is a popular scripting language in widespread use. For more information about PHP, see http://www.php.net/manual/en/faq.general.php.

The vulnerability occurs in the portion of PHP code responsible for handling file uploads, specifically multipart/form-data. By sending a specially crafted POST request to the web server, an attacker can corrupt the internal data structures used by PHP. Specifically, an intruder can cause an improperly initialized memory structure to be freed. In most cases, an intruder can use this flaw to crash PHP or the web server. Under some circumstances, an intruder may be able to take advantage of this flaw to execute arbitrary code with the privileges of the web server.

You may be aware that freeing memory at inappropriate times in some implementations of malloc and free does not usually result in the execution of arbitrary code. However, because PHP utilizes its own memory management system, the implementation of malloc and free is irrelevant to this problem.

Stefan Esser of e-matters GmbH has indicated that intruders cannot execute code on x86 systems. However, we encourage system administrators to apply patches on x86 systems as well to guard against denial-of-service attacks and as-yet-unknown attack techniques that may permit the execution of code on x86 architectures.

This vulnerability was discovered by e-matters GmbH and is described in detail in their advisory. The PHP Group has also issued an advisory. A list of vendors contacted by the CERT/CC and their status regarding this vulnerability is available in VU#929115.

Although this vulnerability only affects PHP 4.2.0 and 4.2.1, e-matters GmbH has previously identified vulnerabilities in older versions of PHP. If you are running older versions of PHP, we encourage you to review http://security.e-matters.de/advisories/012002.html.

II. Impact

A remote attacker can execute arbitrary code on a vulnerable system. An attacker may not be able to execute code on x86 architectures due to the way the stack is structured. However, an attacker can leverage this vulnerability to crash PHP and/or the web server running on an x86 architecture.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

Upgrade to the latest version of PHP

If a patch is not available from your vendor, upgrade to version 4.2.2.

Deny POST requests

Until patches or an update can be applied, you may wish to deny POST requests. The following workaround is taken from the PHP Security Advisory:

In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file:

<Limit POST>
��Order deny,allow
��Deny from all
</Limit>

Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above.

Disable vulnerable service

Until you can upgrade or apply patches, you may wish to disable PHP. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Before deciding to disable PHP, carefully consider your service requirements.

Systems Affected

Vendor	Status	Date Updated
3Com	Unknown	22-Jul-2002
Alcatel	Unknown	22-Jul-2002
Apple Computer Inc.	Not Vulnerable	22-Jul-2002
AT&T	Unknown	22-Jul-2002
BSDI	Unknown	22-Jul-2002
Cisco Systems Inc.	Unknown	22-Jul-2002
Compaq Computer Corporation	Unknown	22-Jul-2002
Computer Associates	Unknown	22-Jul-2002
Conectiva	Not Vulnerable	23-Jul-2002
Cray Inc.	Not Vulnerable	22-Jul-2002
Data General	Unknown	22-Jul-2002
Debian	Vulnerable	22-Jul-2002
F5 Networks	Not Vulnerable	23-Jul-2002
FreeBSD	Vulnerable	22-Jul-2002
Fujitsu	Unknown	22-Jul-2002
Guardian Digital Inc.	Unknown	22-Jul-2002
Guardian Digital Inc.	Not Vulnerable	22-Jul-2002
Hewlett-Packard Company	Not Vulnerable	25-Jul-2002
IBM	Not Vulnerable	22-Jul-2002
Intel	Unknown	22-Jul-2002
Juniper Networks	Unknown	22-Jul-2002
Lachman	Unknown	22-Jul-2002
Lotus Software	Unknown	22-Jul-2002
Lucent Technologies	Unknown	22-Jul-2002
MandrakeSoft	Vulnerable	22-Jul-2002
Microsoft Corporation	Not Vulnerable	22-Jul-2002
Multinet	Unknown	22-Jul-2002
NEC Corporation	Unknown	22-Jul-2002
NetBSD	Unknown	22-Jul-2002
Network Appliance	Not Vulnerable	22-Jul-2002
Nortel Networks	Unknown	22-Jul-2002
OpenBSD	Unknown	22-Jul-2002
Oracle Corporation	Unknown	22-Jul-2002
PHP Development Team	Vulnerable	22-Jul-2002
Red Hat Inc.	Not Vulnerable	22-Jul-2002
Sequent	Unknown	22-Jul-2002
SGI	Unknown	24-Jul-2002
Sony Corporation	Unknown	22-Jul-2002
Sun Microsystems Inc.	Unknown	22-Jul-2002
SuSE Inc.	Not Vulnerable	22-Jul-2002
The SCO Group (SCO Linux)	Not Vulnerable	22-Jul-2002
Trustix	Not Vulnerable	24-Jul-2002
Unisphere Networks	Unknown	22-Jul-2002
Unisys	Unknown	22-Jul-2002
Wind River Systems Inc.	Unknown	22-Jul-2002
Xerox Corporation	Not Vulnerable	30-May-2003

References

http://www.php.net/release_4_2_2.php
http://online.securityfocus.com/archive/1/283532
http://online.securityfocus.com/archive/1/283533
http://www.securityfocus.com/bid/5278

Credit

Thanks to e-matters Security for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

Date Public	07/22/2002
Date First Published	07/22/2002 10:59:30 AM
Date Last Updated	05/30/2003
CERT Advisory	CA-2002-21
CVE Name	CAN-2002-0717
US-CERT Technical Alerts
Metric	42.53
Document Revision	35

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader