Debian: 115-1 Critical: php3/php4 Remote Code Execution Flaws
debian
March 2, 2002
A broken boundary check leading to a potential heap overflow, and several flaws in how PHP handles multipart/form-data POST requests have been fixed.
Topics Covered
Summary
Stefan Esser, who is also a member of the PHP team, found several
flaws in the way PHP handles multipart/form-data POST requests (as
described in RFC1867) known as POST fileuploads. Each of the flaws
could allow an attacker to execute arbitrary code on the victim's
system.
For PHP3 flaws contain a broken boundary check and an arbitrary heap
overflow. For PHP4 they consist of a broken boundary check and a heap
off by one error.
For the stable release of Debian these problems are fixed in version
3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.
For the unstable and testing release of Debian these problems are
fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.
There is no PHP4 in the stable and unstable distribution for the arm
architecture due to a compiler error.
We recommend that you upgrade your php packages immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, u...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php3, php4
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!