Lethal vulnerability in PHP requires an upgrade

PHP has become a popular scripting program with the Apache Web server and is often used to replace less secure scripts in CGI bins. But now, a critical flaw has been discovered in PHP itself, which could pose a danger to many Web servers.

PHP, a server-side scripting language popular with Apache Web server administrators, has a serious flaw that could give an attacker complete access to the server. Intel platform servers are less vulnerable to this potential attack but should also be attended to.

Risk level—critical
Although there are no reports of actual attacks based on this vulnerability yet, it is a critical threat because it can allow the attacker to run any arbitrary code on the server. The PHP Group describes this vulnerability as "serious." It can be exploited by both local and remote users.

PHP ships with most versions of Linux, and VnuNet reports that as many as two million Web servers could be vulnerable to this particular flaw. PHP is often used as a replacement for CGI scripts, and it can provide a way to connect Apache to backend databases such as MySQL.

CERT reports that this flaw affects PHP versions 4.2.0 and 4.2.1. See CERT Advisory CA-2002-21 Vulnerability in PHP.

Mitigating factors
Intel (X86) platforms will probably not be vulnerable to an exploit of PHP attempting to run arbitrary code but will almost certainly crash. So although it is a less critical issue for those servers, it is still a serious problem that must be addressed.

Fix: Upgrade to PHP 4.2.2
The PHP Group says that the upgrade includes no changes other than the fix for this vulnerability, "so upgrading from 4.2.1 is safe and painless." The PHP Group has provided complete source code for PHP 4.2.2 and individual patches for 4.2.0 and 4.2.1, as well as Windows binaries, at its download site.

The problem lies in the code used to parse the headers of HTTP POST requests, which are multipart/form data requests. The parser doesn't adequately check the input, so this can be exploited by anyone who can send HTTP POST requests, even on Web servers protected by good, well-configured firewalls.

IA32 platforms are safe as far as running arbitrary code but will still crash if this attack is implemented.

Final word
It's important to recall that Apache/Linux servers are not immune from serious, even critical vulnerabilities, whether they come from the server software itself or any of the popular add-ons. One of my biggest worries is that people running non-Microsoft software are buying into the common hype about how Linux and virtually anything without a Redmond connection is safe and secure because those products are less of a target. In fact, no operating system or application is immune from vulnerabilities or hacker interest.

Yes, certainly I would prefer to rely on something more stable and secure than Microsoft—FreeBSD is one of my favorites. But I always remember that nothing is 100 percent safe.

Editor's Picks