PHP 4.2.0 and 4.2.1 Remote vulnerability
Stefan Esser (http://www.E-Matters.de) discovered a remote vulnerability in PHP versions 4.2.0 and 4.2.1.
Quote:
Taken from E-Matters.de:
We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.
The vulnerability found by E-Matters.de exploits a bug in the code that checks the headers that contain HTTP POST requests. Different stack-architecture makes non-x86 systems more vulnerable.
PHP.net has released a security advisory and urges people to update to 4.2.2, available here.
If, for some reason, you are unable to update, you are advised to deny POST requests on your webserver. PHP-net offers this guideline for the Apache webserver:
Quote:
Taken from PHP.net:
If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server.
In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file:
Code:
<Limit POST>
Order deny,allow
Deny from all
</Limit>
Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above.
More information:
Advisory 02/2002 PHP remote vulnerability ( E-matters.de )
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 ( PHP.net )
