PHP 4.2.0 and 4.2.1 Remote vulnerability
Stefan Esser (http://www.E-Matters.de) discovered a remote vulnerability in PHP versions 4.2.0 and 4.2.1.
The vulnerability found by E-Matters.de exploits a bug in the code that checks the headers that contain HTTP POST requests. Different stack-architecture makes non-x86 systems more vulnerable.Taken from E-Matters.de:
We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.
PHP.net has released a security advisory and urges people to update to 4.2.2, available here.
If, for some reason, you are unable to update, you are advised to deny POST requests on your webserver. PHP-net offers this guideline for the Apache webserver:
More information:Taken from PHP.net:
If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server.
In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file:
Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above.Code:<Limit POST> Order deny,allow Deny from all </Limit>
Advisory 02/2002 PHP remote vulnerability ( E-matters.de )
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 ( PHP.net )
Reply With Quote