Vulnerabilities in PHP versions 3 and 4 could allow an intruder to execute arbitrary code with the privileges of the web server.
PHP is a scripting language widely used in web development. PHP can be installed on a variety of web servers, including Apache, IIS, Caudium, Netscape and iPlanet, OmniHTTPd and others. Vulnerabilities in the php_mime_split function may allow an intruder to execute arbitrary code with the privileges of the web server. For additional details, see
Intruders can execute arbitrary code with the privileges of the web server, or interrupt normal operations of the web server.
Upgrade to PHP version 4.1.2, available from http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz. If upgrading is not possible, apply patches as described at http://www.php.net/downloads.php:
If upgrading is not possible or a patch cannot be applied, you can avoid these vulnerabilities by setting file_uploads = Off in the php.ini file for version 4.0.3 and above. This will prevent you from using fileuploads, which may not be acceptable for your operation.
Our thanks to Stefan Esser, upon whose advisory this document is based.
This document was written by Shawn V. Hernan.
|Date First Published:||2002-02-27|
|Date Last Updated:||2002-02-27 18:13 UTC|