Šodien tika paziņots, ka PHP versijās 4.2.0 un 4.2.1 ir atrasts jauns caurums un tāpēc ir ieteicams likt jauno versiju PHP 4.2.2.
Sīkāku informāciju var atrast šajā lapā security.e-matters.de
Apiet šo caurumu var ierakstot .htaccess failā:
<Limit POST>
Order deny,allow
Deny from all
</Limit>
Lejupielāde php-4.2.2.tar.gz 3 324KB
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Issued on: July 22, 2002
Software: PHP versions 4.2.0 and 4.2.1
Platforms: All
The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.
Description
PHP contains code for intelligently parsing the headers of HTTP POST requests. The code is used to differentiate between variables and files sent by the user agent in a “multipart/form-data” request. This parser has insufficient input checking, leading to the vulnerability.
The vulnerability is exploitable by anyone who can send HTTP POST requests to an affected web server. Both local and remote users, even from behind firewalls, may be able to gain privileged access.
Impact
Both local and remote users may exploit this vulnerability to compromise the web server and, under certain conditions, to gain privileged access.
So far only the IA32 platform has been verified to be safe from the execution of arbitrary code. The vulnerability can still be used on IA32 to crash PHP and, in most cases, the web server.
Solution
The PHP Group has released a new PHP version, 4.2.2, which incorporates a fix for the vulnerability. All users of affected PHP versions are encouraged to upgrade to this latest version. The downloads web site at
http://www.php.net/downloads.php
has the new 4.2.2 source tarballs, Windows binaries and source patches from 4.2.0 and 4.2.1 available for download.
Workaround
If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server.
In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file:
<Limit POST>
Order deny,allow
Deny from all
</Limit>
Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above.
Credits
The PHP Group would like to thank Stefan Esser of e-matters GmbH for discovering this vulnerability.
Copyright (c) 2002 The PHP Group.
gaidaam exploitu. vareetu buut diezgan interesanti 🙂 nevar novilkt jauno php – laikam serveris vinjiem paarsolgots. ar mokaam tiku liidz download lapai – taalaak nekaadi 🙂 laikam tauta grib
vot tagad dirsaa ir. nu ir ziepes.
labi ka 4.0 series nav bugs…
Patiesībā jau 4.2.x iznākšana neiepriecināja php tautu. Attiecīgi 4.1.x ir jābūt gana OK.
coolynx: kaapee neiepriecinaaja? btw, izdevaas novilkt 4.2.2
BigUgga: runāja, ka esot ļoti gļukaina versija.
driizaak tas bi par 4.2.1 teikts. jo man pasham kaukaa nesanaaca tajaa versijaa ar super globals array padarboties. tipa $_SERVER, $_SESSION etc.
… exploits jau ir pieejams 😛
Bet raxtiits, ka uz IA32 bugs nav efektiivs. Un taa kaa IMHO lielaakaa dalja lieto tieshi x.86, tad …
Kaut gan DoS par neefektiivu gruuti nosaukt… 🙂
aleksejs: ‘The vulnerability can still be used on IA32 to crash PHP and, in most cases, the web server.’
coolynx: kur i exploits? iedo linku vismaz meilaa :)~ jaapacheko….
mja.. paareja uz 4.2.1 bija diezgan pasmaga.. naacaas paarraxtiit apmeeram 80% visu skriptu.. nekadi nevareeju pieradinaties ka jaalieto import_request_variables vai arii $_POST blah blah :))) ar sesijaam arii nebij tik vienkarshi 🙂 bet pox.. tagad jau viss rockz. pieradu 🙂
4.2.2 nekaadi ipashie navari itka nav.. negribas atkal upgraadeet 🙂
Aleksejam: ??n taa kaa IMHO lielaakaa dalja lieto tieshi x.86??? lielaakaa dalja kas? tavu pazinju? papeeti oficiaalo statistiku – kaut vai to pashu, kas pieejama php shtaabmiitnee. imho php uz win32 ziizj baisi… vieniigais, kas tur liidz shim ir darbojies labaak nekaa uz linuxa ir ldap un arii tad tikai taapeec, ka bija slinkums otreiz compileet 🙂
2 Gedrimais: Kautkaa man vienmeer bija licies, ka x.86 nav nekaada sakara ar Win32… 🙂
Nee nu man tieshaam liekas, ka lielaakai daljai manu pazinju (kaa arii poda lasiitaaju) ir tieshi x.86 arhitektuuras serveri… Aciimredzot biju kljuudiijies. Piedodiet. 😉
Gedrimais jauc os ar procesora arhitektuuru :)~
jaa, jaa, PC without Windows is like ice cream without ketchup toties kas par flaami panesaas 🙂 eh, laikam jaabeidz shodien taas nervu zaales riit… laime, ka ne katru dienu php atrod taadus bugus, es pat teiktu bigbuggus 🙂
iisteniibaa par taadu IA32 (iista eezeliishu platforma, ko) neeesmu dzirdeejis, taapeec kaut kaad diivaini pat, ko tie sekjurity experti taa fano, ka vinjs nav sploitojams… da kursh to IA lieto?
2 wx: Droshi vien tev maajaas SPARC, SGI, Apple un citas superkuulas mashiinas, ja? :}
No seerijas – “You must be joking, right?”