Re: PHP multipart/form-data Post Buffer Overflow vulnerability in Woody
On Wednesday 01 December 2004 at 10:42, Evelio Martínez wrote:
> We have a server with Debian Woody
> I have passed the Retina vulnerability scanner in our LAN and it has
> detected several ones.
> The php version we have is 4.1.2-7.0.1
> I know this question has 2 facet. One for people in Retina software and the
> other to people that use Debian.
> 1) I would like to know if the scanner gives positive when it sees the
> version or
> the program makes a real test to see if the vulnerability exists??
> Do I have to upgrade PHP from sources?
> Has anyone have a similar doubt?
> Vulnerability explanation:
> Among them The PHP Group has released a new PHP version, 4.2.2
> PHP contains code for intelligently parsing the headers of HTTP POST
> The code is used to differentiate between variables and files sent
> by the user agent in a "multipart/form-data" request.
> This parser has insufficient input checking, leading to the
> The vulnerability is exploitable by anyone who can send HTTP POST
> requests to an affected web server. Both local and remote users, even
> from behind firewalls, may be able to gain privileged access.
> 2) Another vulnerabilty has to do with Apache (1.3.26-0woo)
> Apache httpd scoreboard modification vulnerability
> Versions of Apache 1.3.x prior to 1.3.27 allow a user running as the Apache
> UID (for instance, through web server exploitation, or the invocation or
> exploitation of a PHP or Perl script) to modify the httpd daemon's
> scoreboard in shared memory. An attacker can exploit this vulnerability to
> cause SIGUSR1 signals to be sent to arbitrary processes as root, possibly
> leading to a denial of service condition or other improper behavior.
The debian policy using upstream patches to fix current version of the
packages makes php for example having the banner 4.1.2-7.0.1 The scanner
sees that version and deduct that you are vulnerable to a security flaw
since this flaw is supposed to be present in all versions lower than
This is a common source of false positives.
Same for Apache vulnerability.
GPG key: http://xavier.sudre.fr/gpg/xavier.asc