An input-checking vulnerability in PHP that opens the door for hackers to
gain Web server access has been patched Monday and users are urged to
update as soon as possible.
The patch, found at the
PHP.net Web site, corrects the POST parser method in the software standard,
which looks at the incoming traffic’s headers and allows or rejects the data.
As a result, according to programmers, the vulnerability allows hackers to
gain “privileged access” to the Web server in some cases — letting them
either grab the information for their own use or to crash the system.
The only workaround for 4.2.0 and 4.2.1 users is to shut down all incoming
POST requests, which administrators are encouraged to do until the patch is
implemented.
According to Stephen Esser, a software developer at e-matters.com, he found
the vulnerability while putting together an application that processed MIME
headers as part of the program.
He said, in his report to PHP.net., the new versions of 4.2 (which featured
a revamped multipart/form-data POST handler) allow some incoming traffic to
inadvertently get added to the list of allowed MIME headers — a process
that gives hackers a way through the back door.
“A malformed POST request can trigger an error condition, that is not
correctly handled. Due to this bug it could happen that an uninitialised
struct gets appended to the linked list of mime headers,” he
reported. “When the lists gets cleaned or destroyed PHP tries to free the
pointers that are expected in the struct. Because of the lack of
initialisation those pointers contain stuff that was left on the stack by
previous function calls.”
The bug affects both IBM and Linux machines running the software.