php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15736 Security Exploit
Submitted: 2002-02-26 13:31 UTC Modified: 2002-02-28 18:18 UTC
Votes:8
Avg. Score:5.0 ± 0.0
Reproduced:1 of 3 (33.3%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: n2wog at usa dot net Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.1.1 OS: All UNIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-02-26 13:31 UTC] n2wog at usa dot net 
There's a security exploit for php that gives you remote root by binding a rootshell to a high port. Exploits php before apache demotes its privledges.  Looks like it uses the POST method. Buffer overflow.

I don't have the program (binary) available as a friend of mine had limited access to it. BUt it affect ALL versions of php.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-26 13:34 UTC] n2wog at usa dot net 
I am trying to get the source code, or at least an strace of the binary used for this exploit.
 [2002-02-26 13:41 UTC] rasmus@php.net 
Well, the part of doing this before Apache demotes its priviledges doesn't sound feasible to me.  Apache forks child processes as a non-privileged user.  You can't get it to serve up a PHP request as root.  And if you could, then why use a "high port" as you mentioned?  We will however have a fix for the file upload buffer overflow shortly.  In the meantime, simply turn off file uploads in your php.ini file to protect yourself against this.
 [2002-02-27 20:54 UTC] denis at ikke dot no 
The patch for file rfc1867.c applied to php 4.0.6 seems to not work when trying to upload from Opera 6.01 (on Windows).
Uploading in Internet Explorer (6.0) seems to work allright, whereas uploading with Opera simply either times out or just fails (without any errors).
 [2002-02-28 02:11 UTC] sniper@php.net 
This bug has already been fixed in the latest released version of
PHP, which you can download at http://www.php.net/downloads.php
 [2002-02-28 02:27 UTC] sniper@php.net 
..and I take this back, it's fixed in CVS but not in any
release.
 [2002-02-28 12:46 UTC] jflemer@php.net 
Shouldn't the patch on the downloads page also include this patch by Rasmus?

http://cvs.php.net/diff.php/php4/main/rfc1867.c?r1=1.71.2.2&r2=1.71.2.3&ty=u
 [2002-02-28 18:18 UTC] sniper@php.net 
I was wrong, the exploit is fixed. Rasmus fixed just one
segfault.
 [2002-02-28 23:06 UTC] spinaltapx at yahoo dot com 
What is the command to install this PHP 4.0.6 patch?  Solarix 8x86 doesn't have a "patch -u" option...  I also tried:

patch -p1 rfc1867.c.diff-4.0.6.PHPpatch
patch -c rfc1867.c.diff-4.0.6.PHPpatch
patch -irfc1867.c.diff-4.0.6.PHPpatch

# ls -laF
-rw-r--r--   1 bin      bin         6802 Feb 28 18:21 rfc1867.c.diff-4.0.6.PHPpatch
-rw-r--r--   1 bin      bin          310 Feb 28 19:44 rfc1867.h
-rw-r--r--   1 bin      bin          310 Sep  9  2000 rfc1867.h.prePHPpatch

Help!
Thanks guys.
 [2002-03-07 20:00 UTC] phobo at paradise dot net dot nz 
PHP 4.1.2's existance should be reported on the Front Page, perhaps simply stating "offering a number of important security fixes" ?

Other people like me have to write things like this:
http://www.youngit.org.nz/xmb/viewthread.php?tid=89#pid642
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 27 18:01:35 2024 UTC