[ISN] PHP falls down security hole

InfoSec News isn at c4i.org
Wed Apr 20 04:14:12 EDT 2005


By Matthew Broersma
19 April 2005

Servers running PHP are vulnerable to a number of serious security
exploits, including some which could allow an attacker to execute
malicious code, as well as denial-of-service exploits, according to
the PHP Group.

The project has issued updates [1] fixing the bugs, available from the
PHP website and directly from various operating system vendors. "All
Users of PHP are strongly encouraged to upgrade to this release," the
PHP Group said in its advisory.

PHP, an open-source programming language mainly for server-side
applications, runs on server operating systems such as Linux, Unix,
Mac OS X and Windows.

Several of the flaws were discovered in PHP's EXIF module, used to
handle the Exchangeable Image file format (EXIF) specification used by
digital cameras. A bug in the module's exif_process_IFD_TAG() function
could be exploited by a specially crafted "Image File Directory" (IFD)  
tag to cause a buffer overflow and execute malicious code with the
privileges of the PHP server, according to Mandriva, which issued its
update [2] on Monday.

A second EXIF module bug could lead to an infinite recursion, causing
the executed program to crash.

Another flaw, first disclosed [3] by iDefense, affects the
"php_handle_iff()" and "php_handle_jpeg()" functions and could be
exploited by a specially formed image to cause infinite loops and
consume all available CPU resources, creating a denial of service. The
PHP update fixes a number of other security flaws, mostly less
serious, as well as non-security-related bugs.

Independent security firm Secunia originally gave the flaws a
non-critical ranking, but later changed its rating to "highly
critical" [4] as more information came to light, the company said.

Updates are being distributed by Debian, Gentoo, Suse and others.

[1] http://www.php.net/release_4_3_11.php
[2] http://www.mandriva.com/security/advisories?name=MDKSA-2005:072
[3] http://www.idefense.com/application/poi/display?id=222
[4] http://secunia.com/advisories/14792/

More information about the ISN mailing list