[thelist] For PHP Users

the head lemur headlemur at clearskymail.com
Mon Jul 22 16:34:00 CDT 2002


Serious PHP vulnerability reported

"The PHP form-data POST handler is susceptible to a malicious POST request
that can trigger an error condition which, depending on your hardware, can
crash the machine or provide for remote exploitation.

On an Intel x86 machine an attacker has no control over memory
allocation/recovery and can only cause a denial of service; on a
Sparc/Solaris machine an attacker would be able to free chunks of memory and
overwrite them arbitrarily to run code.

PHP versions 4.2.0 and 4.2.1 are vulnerable. The PHP Group has released both
a fixed version and patches, including binaries for Windows, available for
download here.

If immediate tinkering proves inconvenient, the team recommends a temporary
workaround of denying POST requests on any affected servers."

Source: The Register
http://www.theregister.co.uk/content/55/26316.html

the head lemur
News: http://www.lemurzone.com/news/
Interviews: http://www.lemurzone.com/pixelview/
Standards: http://webstandards.org
Community: http://www.evolt.org





More information about the thelist mailing list