WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
28 February, 2002
Multiple Buffer Overflows in PHP allow remote access to server

Reference
eMatters Security Advisory 01/2002, PHP remote vulnerabilities

Risk Impact
High

Affected Components
PHP 3.0.10-3.0.18
PHP 4.0.1-4.0.3pl1
PHP 4.0.2-4.0.5
PHP 4.0.6-4.0.7RC2
PHP 4.0.7RC3-4.1.1

Not Affected
PHP 4.1.2
PHP 4.2.0-dev

Overview
Symantec Corporation advises its customers to be aware of the public disclosure of and exploit scripts for numerous remote access buffer overflow vulnerabilities in the way PHP handles multipart POST requests (form uploads). Successful exploitation of these vulnerabilities could result in unauthorized access with the privileges of the targeted web server.

Details
PHP (PHP: Hypertext Preprocessor) is a hypertext preprocessor, server-side, cross-platform compatible HTML embedded markup language commonly used to create dynamic Web pages. PHP script is embedded in an HTML document, allowing the web developer the freedom of not having to rely on extensive amounts of code to output HTML. PHP is server-side, i.e., executed on the server, so the client is unable to view the PHP code. Due to its cross-platform compatibility PHP is included in a large number of Web servers, primarily Apache Web Servers but still supported by the majority of Web Servers and by most operating systems.

One of the features of PHP is support for the MIME media type multi-part/form-data POST requests to support file uploads to the Web server. However, several versions of PHP prior to version 4.2.0 have been discovered to be vulnerable to various buffer overflow exploits in the manner in which file uploads are handled. By uploading a carefully crafted MIME encoded PHP form using the HTTP POST METHOD, a remote intruder could potentially execute arbitrary code on the targeted Web server possibly gaining complete control of the server.

Symantec Response
Symantec recommends the following best practices for reducing exposure to these vulnerabilities.

  1. Immediately apply an appropriate patch or upgrade to a non-vulnerable version.


    • The latest updated PHP version, PHP 4.1.2, as well as earlier version patches for these vulnerabilities are currently available for download from http://www.php.net/downloads.php


      • or

    • Contact your vendor for information on patches for products affected by this issue.


  2. Turn off and remove unneeded services or processes.


    • In PHP version 4.0.3 or later you can disable the file upload support by setting file_uploads = Off in the php.ini file.


      • Note: Disabling file upload capability may seriously degrade you Web site functionality but should be considered if you can not immediately apply the recommended patch or upgrade.

  3. If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media.

Symantec Enterprise Solutions
Enterprise Security Manager (ESM), Symantec's policy compliance and vulnerability management system, helps manage security best practices and patch update functions. A new policy is available for download that will detect PHP versions that have file uploads enabled. Symantec recommends users should then ensure that a non-vulnerable version of PHP or an updated/patched version is running. Otherwise, Symantec recommends that file uploads be disabled to eliminate this exposure until it can be properly protected. Symantec ESM users should run the policy against their domain of web servers.

NetRecon, Symantec's vulnerability assessment tool, will detect vulnerable versions of PHP. Customers should use NetRecon to detect systems running web servers and versions of PHP that are vulnerable to this exploit. NetRecon SU 7 is available here and contains detection capability for vulnerable PHP versions. Current versions of NetRecon will detect systems running web services.

NetProwler, Symantec's network-based intrusion detection tool, offers a signature that will detect attempts to exploit this vulnerability. The new Security Update is available here

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires permission from Sym Security, symsecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec Corporation, Symantec product names, Symantec Security Response, and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Monday, 08-Apr-02 16:58:13
Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation