php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15736 Security Exploit
Submitted: 2002-02-26 13:31 UTC Modified: 2002-02-28 18:18 UTC
Votes:8
Avg. Score:5.0 ± 0.0
Reproduced:1 of 3 (33.3%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: n2wog at usa dot net Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.1.1 OS: All UNIX
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: n2wog at usa dot net
New email:
PHP Version: OS:

 

 [2002-02-26 13:31 UTC] n2wog at usa dot net
There's a security exploit for php that gives you remote root by binding a rootshell to a high port. Exploits php before apache demotes its privledges.  Looks like it uses the POST method. Buffer overflow.

I don't have the program (binary) available as a friend of mine had limited access to it. BUt it affect ALL versions of php.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-26 13:34 UTC] n2wog at usa dot net
I am trying to get the source code, or at least an strace of the binary used for this exploit.
 [2002-02-26 13:41 UTC] rasmus@php.net
Well, the part of doing this before Apache demotes its priviledges doesn't sound feasible to me.  Apache forks child processes as a non-privileged user.  You can't get it to serve up a PHP request as root.  And if you could, then why use a "high port" as you mentioned?  We will however have a fix for the file upload buffer overflow shortly.  In the meantime, simply turn off file uploads in your php.ini file to protect yourself against this.
 [2002-02-27 20:54 UTC] denis at ikke dot no
The patch for file rfc1867.c applied to php 4.0.6 seems to not work when trying to upload from Opera 6.01 (on Windows).
Uploading in Internet Explorer (6.0) seems to work allright, whereas uploading with Opera simply either times out or just fails (without any errors).
 [2002-02-28 02:11 UTC] sniper@php.net
This bug has already been fixed in the latest released version of
PHP, which you can download at http://www.php.net/downloads.php


 [2002-02-28 02:27 UTC] sniper@php.net
..and I take this back, it's fixed in CVS but not in any
release.

 [2002-02-28 12:46 UTC] jflemer@php.net
Shouldn't the patch on the downloads page also include this patch by Rasmus?

http://cvs.php.net/diff.php/php4/main/rfc1867.c?r1=1.71.2.2&r2=1.71.2.3&ty=u
 [2002-02-28 18:18 UTC] sniper@php.net
I was wrong, the exploit is fixed. Rasmus fixed just one
segfault.

 [2002-02-28 23:06 UTC] spinaltapx at yahoo dot com
What is the command to install this PHP 4.0.6 patch?  Solarix 8x86 doesn't have a "patch -u" option...  I also tried:

patch -p1 rfc1867.c.diff-4.0.6.PHPpatch
patch -c rfc1867.c.diff-4.0.6.PHPpatch
patch -irfc1867.c.diff-4.0.6.PHPpatch

# ls -laF
-rw-r--r--   1 bin      bin         6802 Feb 28 18:21 rfc1867.c.diff-4.0.6.PHPpatch
-rw-r--r--   1 bin      bin          310 Feb 28 19:44 rfc1867.h
-rw-r--r--   1 bin      bin          310 Sep  9  2000 rfc1867.h.prePHPpatch

Help!
Thanks guys.
 [2002-03-07 20:00 UTC] phobo at paradise dot net dot nz
PHP 4.1.2's existance should be reported on the Front Page, perhaps simply stating "offering a number of important security fixes" ?

Other people like me have to write things like this:
http://www.youngit.org.nz/xmb/viewthread.php?tid=89#pid642
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 00:01:27 2024 UTC