Signature Detail

HTTP: PHP multipart-form-data Format String

This signature detects attempts to exploit a known vulnerability against PHP. PHP 3.0.16 and 4.0.2 are vulnerable. Attackers can include a unique User-Agent field within a maliciously crafted HTTP POST request for a .php file that exists on the server. Successful attacks can allow the attacker to execute arbitrary code with permissions of the Web server.

Extended Description

PHP is a scripting language designed for CGI applications that is used on many websites. There exists a remotely exploitable format string vulnerability in all versions of PHP below PHP 4.0.3. The vulnerability exists in the code that handles error logging and is present if error logging is enabled in the "php.ini" configuration file. When errors are encountered by PHP, a string containing data supplied by the user is passed as the format string argument (the log_message variable) to the php_syslog() function (which contains *printf functions). As a result, it is possible for a malicious user to craft a string containing malicious format specifiers that will be passed to the php_syslog function as part of an error message. When interpreted by the *printf functions, these specifiers can cause the process to overwrite its own stack variables with arbitrary data. This can lead to remote access being gained on the target host with privileges of the webserver for the attacker. Error logging may or may not be enabled by default on systems shipped with PHP.

Affected Products

• PHP 3.0.0 0
• PHP 4.0.0 0

References

• BugTraq: 1786
• CVE: CVE-2000-0967
• URL: http://archives.neohapsis.com/archives/bugtraq/2000-10/0186.html
• URL: http://rhn.redhat.com/errata/RHSA-2000-088.html