PHP Vulnerability Announced

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

www.php.net/downloads.php

[mnordstr]

Parse error: parse error, unexpected T_SL in /local/Web/sites/phpweb/downloads.php on line 81

Huh??! Bad karma ;)

Re:www.php.net/downloads.php

[Henry+V+.009]

I went to upgrade php and got that as well. It's the same for the mirrors. This doesn't bode well.

Where to get the file

Download directly from here. Change the server name to a mirror closer to you if you want.

http://uk.php.net/distributions/php-4.2.2.tar.bz 2
or
http://uk.php.net/distributions/php-4.2.2.t ar.gz

Something tells me I shouldn't be doing this

[questionlp]

but... I have mirrored the PHP 4.2.2 tar/bz2 ball on my server (over DSL)... you can access it via FTP at closedsrc.org with anon/anon, or the link below:

ftp://anon:anon@closedsrc.org/.

The md5sum file is based on the md5 checksum provided by the FreeBSD port distinfo file.

I know I'm asking for it...

IA32 "safe" from this?

[Dr.Dubious+DDQ]

If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

Re:Apache 2.0.39 incompatibility

[Scoria]

I incorrectly assigned the "superuser" label to the command 'make'. You may execute the 'make' command either as root or a normal user.

'make install', however, must be performed as root.

420 makes you vulnerable!

[Thing+1]

The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1.

I can understand a certain amount of vulnerability after 420...

X86 Linux?

[Chuck+Chunder]

According to the announcements the only thing the vulnerability can do is cause your webserver to crash.

Re:Why is this not front-page?

[quinto2000]

Here's one reason:

Impact

Both local and remote users may exploit this vulnerability to compromise
the web server and, under certain conditions, to gain privileged access.
So far only the IA32 platform has been verified to be safe from the
execution of arbitrary code. The vulnerability can still be used on IA32
to crash PHP and, in most cases, the web server.

This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.

Re:Apache 2.0.39 incompatibility

[chregu]

It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

chregu

Re:*sigh*

[dzym]

But then again, the good folks at Apache didn't think the chunked encoding vulnerability could be used to execute arbitrary code on 32-bit platforms.

Gobbles proved them wrong.

Re:Shouldn't be a problem

[JCCyC]

While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source

Not necessarily. Get the MD5 sum from the official site, then the tarball from the unofficial site. If it bunzips like a duck and md5sums like a duck...