php update (was Re: Rumours about Apache 1.3.22 exploits)

[Christopher McCrory <chrismcc () pricegrabber com>]

Hello...

There is an anouncement and patches available at php's web site:

http://www.php.net/
http://security.e-matters.de/advisories/012002.html

The bug report is here:
http://bugs.php.net/bug.php?id=15736

it recomends turning off file uploads as a work around



H D Moore wrote:
> On Saturday 23 February 2002 06:12 pm, Pedro Hugo wrote:
>
> > There are rumours about an exploit for apache 1.3.22 at least...
> > Don't have yet details on it...
> > Anyone else heard about it ?
>
> Disclaimer:  I have no exploits, dont ask for any. If you really want 
> details, do a source diff on php 4.0.6 and 4.1.x for rfc1687.c.
>
> There is a bug in the php_split_mime function in PHP 3.x and 4.x. There is a 
> working exploit floating around which provides a remote bindshell for PHP 
> versions 4.0.1 to 4.0.6 with a handful of default offsets for different 
> platforms. Since the PHP developers commited another change to the affected 
> source file (rfc1687.c) about two days ago, speculation is that there is yet 
> another remote exploit. There are tools floating around whch demonstrate 
> numerous SEGV's in the PHP module, not only in the mime decoder...
>
> Exploits have been floating around for at least 2 months, you would think 
> someone would step up and shed some light on this to the general public by 
> now.  The sad thing is that certain folks in the "security industry" have 
> known about this for almost as long as there have been exploits, yet nothing 
> was ever made public.



--
Christopher McCrory
 "The guy that keeps the servers running"

chrismcc () pricegrabber com
 http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.