[CLUE-Tech] [Fwd: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1]

Adam Bultman adamb at glaven.org
Mon Jul 22 14:36:48 MDT 2002 

I don't know if you find this useful at all, but I keep all my configure
info for apache/php/mod_ssl in one script. I run the script, and it
re-does all my stuff from scratch. It's pretty ghetto, but with a few
keystrokes, it recompiles everything. I have yet to add the lines that
restart apache.  I've attached it.  No doubt many of you have already had
this idea, and do the same.


It's below. I hope I didn't paste any of it twice. I just recompiled
apache, php, mod_ssl, and all the fixins *just now*.  It works like a gem.



cd /usr/src/apache_1.3.26
./configure
cd ..
cd /usr/src/php

./configure --enable-bcmath --with-apache=/usr/src/apache_1.3.26  --enab
le-magic-quotes  --with-mcrypt  --with-pgsql --enable-track-vars --with-
imap --with-zlib --with-pdflib=/usr/local --with-ttf=/usr/local/include/
freetype2 --with-xml --with-swf=/usr/src/swf --with-gd=/usr/src/gd-1.8.4
 --with-jpeg-dir=/usr

make && make install

cd /usr/src/mod_ssl-2.8.10-1.3.26
./configure --with-apache=/usr/src/apache_1.3.26 --with-ssl=/usr/src/ope
nssl-0.9.6d --enable-shared=ssl
cd ..
cd /usr/src/apache_1.3.26

./configure
cd ..
cd /usr/src/php

./configure --enable-bcmath --with-apache=/usr/src/apache_1.3.26  --enab
le-magic-quotes  --with-mcrypt  --with-pgsql --enable-track-vars --with-
imap --with-zlib --with-pdflib=/usr/local --with-ttf=/usr/local/include/
freetype2 --with-xml --with-swf=/usr/src/swf --with-gd=/usr/src/gd-1.8.4
 --with-jpeg-dir=/usr

make && make install

cd /usr/src/mod_ssl-2.8.10-1.3.26
./configure --with-apache=/usr/src/apache_1.3.26 --with-ssl=/usr/src/ope
nssl-0.9.6d --enable-shared=ssl
cd ..
cd /usr/src/apache_1.3.26

./configure --enable-module=so --enable-module=headers --enable-module=l
og_referer --enable-module=vhost_alias  --enable-module=ssl --enable-sha
red=ssl --enable-module=log_agent --enable-module=expires --activate-mod
ule=src/modules/php4/libphp4.a --enable-module=php4

make && make install





-- 
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]


On Mon, 22 Jul 2002 grant.johnson at twcable.com wrote:

>    PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
>
>
> Issued on: July 22, 2002
> Software:  PHP versions 4.2.0 and 4.2.1
> Platforms: All
>
>
>    The PHP Group has learned of a serious security vulnerability in PHP
>    versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
>    code with the privileges of the web server. This vulnerability may be
>    exploited to compromise the web server and, under certain conditions,
>    to gain privileged access.
>
>
> Description
>
>    PHP contains code for intelligently parsing the headers of HTTP POST
>    requests. The code is used to differentiate between variables and files
>    sent by the user agent in a "multipart/form-data" request. This parser
>    has insufficient input checking, leading to the vulnerability.
>
>    The vulnerability is exploitable by anyone who can send HTTP POST
>    requests to an affected web server. Both local and remote users, even
>    from behind firewalls, may be able to gain privileged access.
>
>
> Impact
>
>    Both local and remote users may exploit this vulnerability to compromise
>    the web server and, under certain conditions, to gain privileged access.
>    So far only the IA32 platform has been verified to be safe from the
>    execution of arbitrary code. The vulnerability can still be used on IA32
>    to crash PHP and, in most cases, the web server.
>
>
> Solution
>
>    The PHP Group has released a new PHP version, 4.2.2, which incorporates
>    a fix for the vulnerability. All users of affected PHP versions are
>    encouraged to upgrade to this latest version. The downloads web site at
>
>       http://www.php.net/downloads.php
>
>    has the new 4.2.2 source tarballs, Windows binaries and source patches
>    from 4.2.0 and 4.2.1 available for download.
>
>
> Workaround
>
>    If the PHP applications on an affected web server do not rely on HTTP
>    POST input from user agents, it is often possible to deny POST requests
>    on the web server.
>
>    In the Apache web server, for example, this is possible with the
>    following code included in the main configuration file or a top-level
>    .htaccess file:
>
>
>           Order deny,allow
>           Deny from all
>
>
>    Note that an existing configuration and/or .htaccess file may have
>    parameters contradicting the example given above.
>
>
> Credits
>
>    The PHP Group would like to thank Stefan Esser of e-matters GmbH for
>    discovering this vulnerability.
>
>
> Copyright (c) 2002 The PHP Group.
>
>
>
>

More information about the clue-tech mailing list