PHP Team Patches DoS Bugs

The PHP Development Team released updates to the PHP 4 and 5 code base,
fixing two security vulnerabilities that open the door to Denial-of-Service (DoS) attacks Wednesday.

PHP is a popular open source scripting language used by Web developers. In February, an anonymous researcher discovered that two functions that handle images uploads used within PHP 4 and 5 (php_handle_iff and php_handle_jpeg) could be manipulated to create infinite loops in the program.

The infinite loop, in turn, consumes 100 percent of the system’s CPU
and crashes the system. Both vulnerabilities require the
attacker to upload a malicious image to the getimagesize() routine and
affects PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. The routine is used to
determine the size and dimensions of image file formats like GIF, JPEG and
TIFF.

At risk are sites running PHP that allow users to upload images to the Web
server, like photo blogs or wikis. Michael Sutton, director of iDefense
labs, said the vulnerabilities aren’t considered critical bugs because they
only bring down the system; the bugs won’t allow a malicious hacker to take
over the Web server.

“It’s reasonably significant in that you’re taking out a Web server and
denying other people access to it, but the thing that makes it not critical
is that you can’t execute any code on that server,” he said.

Officials at iDefense said there is no known workaround for the
vulnerabilities at this time, outside downloading and updating the PHP code.
Maintainers of the PHP.net Web site, say developers, are “strongly encouraged”
to upgrade to PHP 4.3.11 and 5.0.4.

The php_handle_iff() bug is caused when a user-defined
file-stream size and size variable are set to negating values, 8 and -8 for
example.

Insufficient validation of JPEG image file headers led to the vulnerability
in the php_handle_jpeg() function. The vulnerability can be exploited if an
invalid marker is sent in the stream through the php_next_marker() function,
causing the function to point to two bytes of the file when it is returned
to php_handle_jpeg() for loop.

Developers can download PHP 4.3.11 and 5.0.4 at the PHP.net download site.

News Around the Web