NYCPHP Meetup

Fwd: [PHP-DEV] PHP Security Advisory: CGI vulnerability in PHP version 4.3.0

Hans Zaunere hans at nyphp.org
Mon Feb 17 13:19:17 EST 2003


--- Jani Taskinen <sniper at php.net> wrote:
> Date: Mon, 17 Feb 2003 20:01:14 +0200 (EET)
> From: Jani Taskinen <sniper at php.net>
> To: php-announce at lists.php.net, <php-dev at lists.php.net>,
>    <php-general at lists.php.net>
> Subject: [PHP-DEV] PHP Security Advisory: CGI vulnerability in PHP version
> 4.3.0
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>    PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
> 
> Issued on: February 17, 2003
> Software:  PHP/CGI version 4.3.0
> Platforms: All
> 
> 
>    The PHP Group has learned of a serious security vulnerability in 
>    the CGI SAPI of PHP version 4.3.0. 
>    
> 
> Description
> 
>    PHP contains code for preventing direct access to the CGI binary with
>    configure option "--enable-force-cgi-redirect" and php.ini option
>    "cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these
>    options useless.
>    
>    NOTE: This bug does NOT affect any of the other SAPI modules.  
>          (such as the Apache or ISAPI modules, etc.)
> 
> 
> Impact
> 
>    Anyone with access to websites hosted on a web server which employs 
>    the CGI module may exploit this vulnerability to gain access to any file
>    readable by the user under which the webserver runs.
> 
>    A remote attacker could also trick PHP into executing arbitrary PHP code
> 
>    if attacker is able to inject the code into files accessible by the CGI.
> 
>    This could be for example the web server access-logs.
> 
> 
> Solution
> 
>    The PHP Group has released a new PHP version, 4.3.1, which incorporates
>    a fix for the vulnerability. All users of affected PHP versions are
>    encouraged to upgrade to this latest version. The downloads web site at
> 
>       http://www.php.net/downloads.php
>    
>    has the new 4.3.1 source tarballs, Windows binaries and source patch
>    from 4.3.0 available for download. You will only need to upgrade if 
>    you're using the CGI module of PHP 4.3.0. There are no other bugfixes
>    contained in this release.
> 
> 
> Workaround
> 
>    None.
> 
>  
> Credits
> 
>    The PHP Group would like to thank Kosmas Skiadopoulos for discovering 
>    this vulnerability.
> 
> 
> Copyright (c) 2003 The PHP Group.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE+USOr/HlsOzK2WlERAtLKAJ9GPbPt6Vg77zIcPTGKh78WofmmeACgneDV
> tUERfwp/RXtcH13vdv0CGGY=
> =rYm5
> -----END PGP SIGNATURE-----
> 
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


=====
Hans Zaunere
President, New York PHP
http://nyphp.org
hans at nyphp.org



More information about the talk mailing list