Risk levelâ€"critical
Although there are no reports of actual attacks based on this vulnerability yet, it is a critical threat because it can allow the attacker to run any arbitrary code on the server. The PHP Group describes this vulnerability as "serious." It can be exploited by both local and remote users.
Applicability
PHP ships with most versions of Linux, and VnuNet reports that as many as two million Web servers could be vulnerable to this particular flaw. PHP is often used as a replacement for CGI scripts, and it can provide a way to connect Apache to backend databases such as MySQL.
CERT reports that this flaw affects PHP versions 4.2.0 and 4.2.1. See CERT Advisory CA-2002-21 Vulnerability in PHP.
Mitigating factors
Intel (X86) platforms will probably not be vulnerable to an exploit of PHP attempting to run arbitrary code but will almost certainly crash. So although it is a less critical issue for those servers, it is still a serious problem that must be addressed.
Fix: Upgrade to PHP 4.2.2
The PHP Group says that the upgrade includes no changes other than the fix for this vulnerability, "so upgrading from 4.2.1 is safe and painless." The PHP Group has provided complete source code for PHP 4.2.2 and individual patches for 4.2.0 and 4.2.1, as well as Windows binaries, at its download site.
Details
The problem lies in the code used to parse the headers of HTTP POST requests, which are multipart/form data requests. The parser doesn't adequately check the input, so this can be exploited by anyone who can send HTTP POST requests, even on Web servers protected by good, well-configured firewalls.
IA32 platforms are safe as far as running arbitrary code but will still crash if this attack is implemented.
Final word
It's important to recall that Apache/Linux servers are not immune from serious, even critical vulnerabilities, whether they come from the server software itself or any of the popular add-ons. One of my biggest worries is that people running non-Microsoft software are buying into the common hype about how Linux and virtually anything without a Redmond connection is safe and secure because those products are less of a target. In fact, no operating system or application is immune from vulnerabilities or hacker interest.
Yes, certainly I would prefer to rely on something more stable and secure than Microsoftâ€"FreeBSD is one of my favourites. But I always remember that nothing is 100 percent safe.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
6%
1%
