xref: /web-php/releases/4_2_2.php (revision f1cb7e74) 
1<?php
2$_SERVER['BASE_PAGE'] = 'releases/4_2_2.php';
3include_once __DIR__ . '/../include/prepend.inc';
4site_header("PHP 4.2.2 Release Announcement");
5?>
6
7<h1>
8 PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
9</h1>
10
11<p>[ <a href="/releases/4_2_2_fr.php">Version Fran&ccedil;aise</a> ]</p>
12
13<dl>
14 <dt>Issued on:</dt>
15 <dd>July 22, 2002</dd>
16 <dt>Software:</dt>
17 <dd>PHP versions 4.2.0 and 4.2.1</dd>
18 <dt>Platforms:</dt>
19 <dd>All</dd>
20</dl>
21
22<p>
23 The PHP Group has learned of a serious security vulnerability in PHP
24 versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary
25 code with the privileges of the web server. This vulnerability may be
26 exploited to compromise the web server and, under certain conditions,
27 to gain privileged access.
28</p>
29
30<h2>Description</h2>
31
32<p>
33 PHP contains code for intelligently parsing the headers of HTTP POST
34 requests. The code is used to differentiate between variables and files
35 sent by the user agent in a "multipart/form-data" request. This parser
36 has insufficient input checking, leading to the vulnerability.
37</p>
38
39<p>
40 The vulnerability is exploitable by anyone who can send HTTP POST
41 requests to an affected web server. Both local and remote users, even
42 from behind firewalls, may be able to gain privileged access.
43</p>
44
45<h2>Impact</h2>
46
47<p>
48 Both local and remote users may exploit this vulnerability to compromise
49 the web server and, under certain conditions, to gain privileged access.
50 So far only the IA32 platform has been verified to be safe from the
51 execution of arbitrary code. The vulnerability can still be used on IA32
52 to crash PHP and, in most cases, the web server.
53</p>
54
55<h2>Solution</h2>
56
57<p>
58 The PHP Group has released a new PHP version, 4.2.2, which incorporates
59 a fix for the vulnerability. All users of affected PHP versions are
60 encouraged to upgrade to this latest version. <a href="/downloads.php">The
61 downloads page</a> has the new 4.2.2 source tarballs, Windows binaries
62 and source patches from 4.2.0 and 4.2.1 available for download.
63</p>
64
65<h2>Workaround</h2>
66
67<p>
68 If the PHP applications on an affected web server do not rely on HTTP
69 POST input from user agents, it is often possible to deny POST requests
70 on the web server.
71</p>
72
73<p>
74 In the Apache web server, for example, this is possible with the
75 following code included in the main configuration file or a top-level
76 .htaccess file:
77</p>
78
79<pre>
80&lt;Limit POST&gt;
81   Order deny,allow
82   Deny from all
83&lt;/Limit&gt;
84</pre>
85
86<p>
87 Note that an existing configuration and/or .htaccess file may have
88 parameters contradicting the example given above.
89</p>
90
91<h2>Credits</h2>
92
93<p>
94 The PHP Group would like to thank Stefan Esser of e-matters GmbH for
95 discovering this vulnerability. e-matters GmbH has also released an
96 <a href="http://security.e-matters.de/advisories/022002.html">independent
97 advisory</a>, describing the vulnerability in more detail.
98</p>
99
100<?php site_footer(); ?>
101