[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PHP multipart/form-data Post Buffer Overflow vulnerability in Woody

On Wednesday 01 December 2004 at 10:42, Evelio Martínez wrote:
> Hello!
> We have a server with Debian Woody 
> I have passed the Retina  vulnerability scanner in our LAN and it has
> detected several ones.
> The php version we have is   4.1.2-7.0.1
> I know this question has 2 facet. One for people in Retina software and the
> other to people that use Debian.
> 1) I would like to know  if the scanner gives positive when it sees the
> version or 
>    the program makes a real test to see if the vulnerability exists??
>    Do I have to upgrade PHP from sources?
>    Has anyone have a similar doubt?
>    Vulnerability explanation:
>    Among them The PHP Group has released a new PHP version, 4.2.2
> 	PHP contains code for intelligently parsing the headers of HTTP POST
> requests. 
> 	The code is used to differentiate between variables and files sent 
> 	by the user agent in a "multipart/form-data" request. 
> 	This parser has insufficient input checking, leading to the
> vulnerability.
> 	The vulnerability is exploitable by anyone who can send HTTP POST
> requests to an affected web server. Both local and 	remote users, even
> from behind firewalls, may be able to gain privileged access.
> 2)  Another vulnerabilty has to do with Apache (1.3.26-0woo)
> Apache httpd scoreboard modification vulnerability
> Versions of Apache 1.3.x prior to 1.3.27 allow a user running as the Apache
> UID (for instance, through web server exploitation, or the invocation or
> exploitation of a PHP or Perl script) to modify the httpd daemon's
> scoreboard in shared memory. An attacker can exploit this vulnerability to
> cause SIGUSR1 signals to be sent to arbitrary processes as root, possibly
> leading to a denial of service condition or other improper behavior.


The debian policy using upstream patches to fix current version of the
packages makes php for example having the banner 4.1.2-7.0.1 The scanner
sees that version and deduct that you are vulnerable to a security flaw
since this flaw is supposed to be present in all versions lower than

This is a common source of false positives.

Same for Apache vulnerability.



Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:    xavier@sudre.fr
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

Reply to: