Security Flaws Found in PHP

The Computer Emergency Response Team Coordination Center (CERT/CC) Wednesday warned of multiple vulnerabilities in the PHP scripting
language which would allow a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim’s system.

The flaws were discovered and first reported by Stefan Esser of e-matters, a member of the PHP developer team.


PHP is widely used in Web development and can be installed on a variety of Web servers, including Apache, IIS, Caudium, Netscape and
iPlanet, OmniHTTPd and others. Esser said the vulnerabilities lie in the php_mime_split function, allowing an attacker to either
execute arbitrary code with the privileges of the Web server or interrupt normal operations of the Web server.

Esser said he found a number of bugs in various versions of PHP, including:

  • PHP 3.0.10-3.0.18 — a broken boundary check (which Esser noted is difficult to exploit) and an arbitrary heap overflow (easy to
    exploit

  • PHP 4.0.1-4.0.3pl1 — broken boundary check (hard to exploit) and heap off by one (easy to exploit)
  • PHP 4.0.2-4.0.5 — two broken boundary checks (one easy to exploit and one hard to exploit)
  • PHP 4.0.6-4.0.7RC2 — broken boundary check (very easy to exploit)
  • PHP 4.0.7RC3-4.1.1 — broken boundary check (hard to exploit).

Esser noted that most of the vulnerabilities are exploitable only on Linux or Solaris, but said the “heap off by one” flaw is only
exploitable on x86 architecture and the “arbitrary heap overflow” in PHP3 is exploitable on most operating systems and
architectures, including *BSD.

PHP users can get around the flaws by upgrading to PHP
version 4.1.2
. If upgrading is not possible, patches for older versions are available here.


Users of version 4.20-dev are not vulnerable to the bugs because the fileupload code was completely rewritten for that branch.


If neither upgrading nor applying a patch is possible, PHP users can avoid the vulnerabilities by disabling fileupload support. To
accomplish this, edit the PHP configuration file php.ini to “file_uploads = off.” This setting only applies to version 4.0.3 and
above, and will prevent users from using fileuploads.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web