Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The actual severity level is indicated by the colored dot beside the link to this tutorial on the previous page.
PHP supports uploading of files using the HTTP POST request method. This feature usually is not a security problem in itself, because security mechanisms have been added to protect it from abuse. However, flaws in the implementation of POST could still render it vulnerable.
7/23/02
CAN 2002-0717
Due to improper handling of an error condition in
POST requests of type multipart/form-data,
a remote attacker could cause PHP to attempt to free a
memory structure which has never been allocated. This
flaw can be exploited by sending a specially crafted POST
request to the PHP-enabled web server. This would result in
a denial of service or, on some non-x86 platforms such as
SPARC Solaris, the
ability to execute arbitrary commands. PHP 4.2.0 and 4.2.1
are affected by this vulnerability if the HTTP POST
method is enabled.
1/13/03
CAN 2002-1396
The PHP wordwrap function has a buffer
overflow condition which could result in a denial of
service or execution of arbitrary code. This condition
is only a vulnerability if there are PHP scripts on the
server which use wordwrap with user-supplied
parameters. Otherwise, there is no means of exploitation.
PHP versions greater than 4.1.2 and less than 4.3.0 are
affected.
2/27/02
CVE 2002-0081
Due to a buffer overflow condition in
the processing of POST requests, it could be possible
for a remote attacker to gain unauthorized access to the server
by sending specially crafted MIME encoded data. PHP version
4.1.1 and earlier are affected by this vulnerability.
2/21/03
CAN 2003-0097
PHP includes a compile configuration option called
--enable-force-cgi-redirect
and an option in php.ini called
cgi.force_redirect to protect itself from
attacks when running as a CGI. However, a bug in PHP 4.3.0
renders these two options ineffective. A remote attacker could
therefore read any file which is readable by the web server
simply by calling it from the PHP interpreter in the CGI
directory. Furthermore, the attacker could execute arbitrary
commands by causing PHP code to be written to a file on
the server, such as the web server logs, and then calling
that file from the PHP interpreter.
Only servers running PHP 4.3.0 as a CGI are affected by this vulnerability.
CVE 2001-1246
The PHP safe mode option is intended to limit
the external programs which can be executed from a PHP script.
However, the fifth argument to the mail command,
which was introduced in PHP 4.0.5 for the purpose of passing
command-line options to the Sendmail program, is not
sufficiently checked for shell metacharacters. This could
allow a local attacker, and in some cases a remote attacker,
to bypass safe mode and execute external programs.
PHP 4.0.5 through 4.1.0 are affected by this vulnerability.
<Limit POST> Order deny,allow Deny from all </Limit>Users of PHP versions prior to 4.1.2 should download and install PHP version 4.3.1 or higher, or install the File Uploads Security Fix which is available from the same download site. If it is not possible to upgrade immediately, and you are running PHP 4.0.3 or higher, then as a workaround set the file_uploads variable to Off in the php.ini file, and restart the web server.