PHP contains vulnerability in "php_mime_split" function allowing arbitrary code execution

Overview

Vulnerabilities in PHP versions 3 and 4 could allow an intruder to execute arbitrary code with the privileges of the web server.

Description

PHP is a scripting language widely used in web development. PHP can be installed on a variety of web servers, including Apache, IIS, Caudium, Netscape and iPlanet, OmniHTTPd and others. Vulnerabilities in the php_mime_split function may allow an intruder to execute arbitrary code with the privileges of the web server. For additional details, see

<http://security.e-matters.de/advisories/012002.html&gt;

Web servers that do not have PHP installed are not affected by this vulnerability.

---

Impact

Intruders can execute arbitrary code with the privileges of the web server, or interrupt normal operations of the web server.

---

Solution

Upgrade to PHP version 4.1.2, available from <http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz&gt;. If upgrading is not possible, apply patches as described at <http://www.php.net/downloads.php&gt;:

For PHP 4.10/4.11
<http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz&gt;

For PHP 4.06
<http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz&gt;

For PHP 3.0
<http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz&gt;

If you are using version 4.20-dev, you are not affected by this vulnerability. Quoting from http://security.e-matters.de/advisories/012002.htm, "users running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch. "

---

If upgrading is not possible or a patch cannot be applied, you can avoid these vulnerabilities by setting file_uploads = Off in the php.ini file for version 4.0.3 and above. This will prevent you from using fileuploads, which may not be acceptable for your operation.

---

Vendor Information

297363

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apache Software Foundation __ Affected

Updated: February 27, 2002

Status

Affected

Vendor Statement

Information about this vulnerability is available from <http://www.php.net/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23297363 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://security.e-matters.de/advisories/012002.html&gt;
• <http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz&gt;
• <http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz&gt;
• <http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz&gt;

Acknowledgements

Our thanks to Stefan Esser, upon whose advisory this document is based.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs:	CVE-2002-0081
Severity Metric:	55.08 Date Public: