Re: PHP multipart/form-data Post Buffer Overflow vulnerability in Woody

To: Evelio Martínez <evelio@masmedios.com>
Cc: debian-security@lists.debian.org
Subject: Re: PHP multipart/form-data Post Buffer Overflow vulnerability in Woody
From: Xavier Sudre <xavier@sudre.fr>
Date: Sun, 5 Dec 2004 19:51:40 +0100
Message-id: <[🔎] 20041205185140.GB3776@sudre.fr>
Reply-to: xavier@sudre.fr
In-reply-to: <[🔎] 200412010939.iB19d6tV019321@demm01.acens.net>
References: <[🔎] 200412010939.iB19d6tV019321@demm01.acens.net>

On Wednesday 01 December 2004 at 10:42, Evelio Martínez wrote:
>  
> Hello!
>  
> We have a server with Debian Woody 
> I have passed the Retina  vulnerability scanner in our LAN and it has
> detected several ones.
> The php version we have is   4.1.2-7.0.1
>  
> I know this question has 2 facet. One for people in Retina software and the
> other to people that use Debian.
>  
> 1) I would like to know  if the scanner gives positive when it sees the
> version or 
>    the program makes a real test to see if the vulnerability exists??
>  
>    Do I have to upgrade PHP from sources?
>  
>    Has anyone have a similar doubt?
>  
>    Vulnerability explanation:
>    Among them The PHP Group has released a new PHP version, 4.2.2
> 
> 	PHP contains code for intelligently parsing the headers of HTTP POST
> requests. 
> 	The code is used to differentiate between variables and files sent 
> 	by the user agent in a "multipart/form-data" request. 
> 	This parser has insufficient input checking, leading to the
> vulnerability.
> 
> 	The vulnerability is exploitable by anyone who can send HTTP POST
> requests to an affected web server. Both local and 	remote users, even
> from behind firewalls, may be able to gain privileged access.
> 
> 2)  Another vulnerabilty has to do with Apache (1.3.26-0woo)
> 
> Apache httpd scoreboard modification vulnerability
> 
> Versions of Apache 1.3.x prior to 1.3.27 allow a user running as the Apache
> UID (for instance, through web server exploitation, or the invocation or
> exploitation of a PHP or Perl script) to modify the httpd daemon's
> scoreboard in shared memory. An attacker can exploit this vulnerability to
> cause SIGUSR1 signals to be sent to arbitrary processes as root, possibly
> leading to a denial of service condition or other improper behavior.

Hi,

The debian policy using upstream patches to fix current version of the
packages makes php for example having the banner 4.1.2-7.0.1 The scanner
sees that version and deduct that you are vulnerable to a security flaw
since this flaw is supposed to be present in all versions lower than
4.2.2.

This is a common source of false positives.

Same for Apache vulnerability.

Regards,

Xavier.

-- 
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:    xavier@sudre.fr
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

Reply to:

References:
- PHP multipart/form-data Post Buffer Overflow vulnerability in Woody
  - From: Evelio Martínez <evelio@masmedios.com>

Prev by Date: Re: [SECURITY] [DSA-594-1] New Apache packages fix arbitrary code execution
Next by Date: request tracker error combined with user error, apologies included
Previous by thread: PHP multipart/form-data Post Buffer Overflow vulnerability in Woody
Next by thread: "unsubscribe"
Index(es):
- Date
- Thread