PGP SIGNED MESSAGE-----
CA-2002-21 Vulnerability in PHP
release date: July 22, 2002
Last revised: --
revision history can be found at the end of this file.
running PHP versions 4.2.0 or 4.2.1
has been discovered in PHP. This vulnerability could
be used by a remote attacker to execute arbitrary code or crash PHP
and/or the web server.
a popular scripting language in widespread use. For more
information about PHP, see
occurs in the portion of PHP code responsible for
handling file uploads, specifically multipart/form-data. By sending
specially crafted POST request to the web server, an attacker can
corrupt the internal data structures used by PHP. Specifically, an
intruder can cause an improperly initialized memory structure to be
freed. In most cases, an intruder can use this flaw to crash PHP or
the web server. Under some circumstances, an intruder may be able to
take advantage of this flaw to execute arbitrary code with the
privileges of the web server.
be aware that freeing memory at inappropriate times in some
implementations of malloc and free does not usually result in the
execution of arbitrary code. However, because PHP utilizes its own
memory management system, the implementation of malloc and free is
irrelevant to this problem.
Esser of e-matters GmbH has indicated that intruders cannot
execute code on x86 systems. However, we encourage system
administrators to apply patches on x86 systems as well to guard
against denial-of-service attacks and as-yet-unknown attack techniques
that may permit the execution of code on x86 architectures.
was discovered by e-matters GmbH and is described
in detail in their advisory. The PHP Group has also issued an
advisory. A list of vendors contacted by the CERT/CC and their status
regarding this vulnerability is available in VU#929115.
this vulnerability only affects PHP 4.2.0 and 4.2.1,
e-matters GmbH has previously identified vulnerabilities in older
versions of PHP. If you are running older versions of PHP, we
encourage you to review
attacker can execute arbitrary code on a vulnerable system.
An attacker may not be able to execute code on x86 architectures due
to the way the stack is structured. However, an attacker can leverage
this vulnerability to crash PHP and/or the web server running on an
patch from your vendor
A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please contact your vendor directly.
to the latest version of PHP
If a patch
is not available from your vendor, upgrade to version
patches or an update can be applied, you may wish to deny POST
requests. The following workaround is taken from the PHP Security
PHP applications on an affected web server do not rely on
HTTP POST input from user agents, it is often possible to deny POST
requests on the web server.
Apache web server, for example, this is possible with the
following code included in the main configuration file or a
top-level .htaccess file:
Deny from all
an existing configuration and/or .htaccess file may have
parameters contradicting the example given above.
you can upgrade or apply patches, you may wish to disable PHP.
As a best practice, the CERT/CC recommends disabling all services that
are not explicitly required. Before deciding to disable PHP, carefully
consider your service requirements.
A. - Vendor Information
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
X and Mac OS X Server are shipping with PHP version
4.1.2 which does not contain the vulnerability described in
OpenLinux does not provide either vulnerable version
(4.2.0, 4.2.1) of PHP in their products. Therefore, Caldera
products are not vulnerable to this issue.
Compaq Computer Corporation, a wholly-owned subsidiary
of Hewlett-Packard Company and Hewlett-Packard Company HP
Services Software Security Response Team
x-ref: SSRT2300 php post requests
At the time of writing this document, Compaq is currently
investigating the potential impact to Compaq's released
Operating System software products.
As further information becomes available Compaq will provide
notice of the availability of any necessary patches through
standard security bulletin announcements and be available from
your normal HP Services supportchannel.
Inc. does not supply PHP on any of its systems.
GNU/Linux stable aka 3.0 is not vulnerable.
Debian GNU/Linux testing is not vulnerable.
Debian GNU/Linux unstable is vulnerable.
The problem effects PHP versions 4.2.0 and 4.2.1. Woody ships
an older version of PHP (4.1.2), that doesn't contain the
does not include any version of PHP by default, and so
is not vulnerable; however, the FreeBSD Ports Collection does
contain the PHP4 package. Updates to the PHP4 package are in
progress and a corrected package will be available in the near
Digital has not shipped PHP 4.2.x in any versions of
EnGarde, therefore we are not believed to be vulnerable at this
Hewlett-Packard Company Security Response Team
At the time of writing this document, Hewlett Packard is
currently investigating the potential impact to HP's released
Operating System software products.
As further information becomes available HP will provide notice
of the availability of any necessary patches through standard
security bulletin announcements and be available from your
normal HP Services support channel.
not vulnerable to the above vulnerabilities in PHP. We
do supply the PHP packages for AIX through the AIX Toolbox for
Linux Applications. However, these packages are at 4.0.6 and
also incorporate the security patch from 2/27/2002.
Linux does not ship with PHP version 4.2.x and as such
is not vulnerable. The Mandrake Linux cooker does currently
contain PHP 4.2.1 and will be updated shortly, but cooker
should not be used in a production environment and no advisory
will be issued.
products are not affected by the issues detailed in
products are vulnerable to this.
our commercial releases ship with vulnerable versions
of PHP (4.2.0, 4.2.1).
is not vulnerable to this problem, as we do not ship
acknowledges e-matters GmbH for discovering and reporting
Ian A. Finlay.
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2002 Carnegie Mellon University.
July 22, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----