Bug #16067: vulnerabilities in PHPH's file uploadcode - still uncovered in 4.1.2

Thu, 14 Mar 2002 06:15:57 -0800 

From:             [EMAIL PROTECTED]
Operating system: FreeBSD 4.2, 4.4
PHP version:      4.1.2
PHP Bug Type:     Reproducible crash
Bug description:  vulnerabilities in PHPH's file uploadcode - still uncovered in 4.1.2

Dear gentlemen,

On the February 28 a notice appeared regarding the problem concerning
files upload in the php. The description of the problem can be found at
http://security.e-matters.de/advisories/012002.html

 "Release Date:           2002/02/27
              Author:        Stefan Esser [[EMAIL PROTECTED]]
              Application:  PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
              Severity:      Several vulnerabilities in PHP's fileupload
code allow remote compromise
              Risk:            Critical
              Reference:
http://security.e-matters.de/advisories/012002.html
              Last Modified:  1002/02/28 "

We applied the patch, that was made by the php developers and is available
at http://www.php.net/downloads.php

(http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz)
We applied the given patch to the php 4.1.0 and supposed that we'll no
longer encounter the problem described above.

An exploit appeared recently, which after having been applied to the
patched php 4.1.0 on the FreeBSD (4.2, 4.4 versions), crashes the child
Apache (segmentation fault).
(exploit text - http://packetstormsecurity.nl/0203-exploits/phpxpl.c)
I.e. the php patch officially released on February 28 doesn't solve this
problem to the end.
We downloaded the php version 4.1.2. The situation repeated on this php
version either.

We have some questions in this regard:
- is the new php version release planned ( 4.1.3 for example) where there
will be no such vulnerability?
- are there any patches planned to release for the php versions available,
to workaround such vulnerability?

If such workarounds are planned - by what time should we expect it to
become available ?

Thank you, 
Dmitry Zinin
-- 
Edit bug report at http://bugs.php.net/?id=16067&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=16067&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=16067&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=16067&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=16067&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16067&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=16067&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=16067&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=16067&r=submittedtwice

Reply via email to