I know some of you are running PHP. It has
another very
serious vulnerability. From the gentoo security list:
PHP 4.2.0 introduced a completely rewritten multipart/form-data POST
handler.While I was working on the code in my role as PHP developer i
found a bug within the way the mime headers are processed. A malformed
POST request can trigger an error condition, that is not correctly
handled. Due to this bug it could happen that an uninitialised struct
gets appended to the linked list of mime headers.When the lists gets
cleaned or destroyed PHP tries to free the pointers that are expected
in
the struct. Because of the lack of initialisation those pointers
contain stuff that was left on the stack by previous function calls.
On the IA32 architecture (aka. x86) it is not possible to control what
will end up in the uninitialised struct because of the stack layout.
All
possible code paths leave illegal addresses within the struct and PHP
will crash when it tries to free them.
Unfortunately the situation is absolutely different if you look on a
solaris sparc installation. Here it is possible for an attacker to
free
chunks of memory that are full under his control. This is most
probably
the case for several more non IA32 architectures.
Please note that exploitability is not only limited to systems that
are
running malloc()/free() implementations that are known to be
vulnerable
to control structure overwrites. This is because the internal PHP
memory
managment implements its own linked list system that can be used to
overwrite nearly arbitrary memory addresses.
This ties directly into webmail for me. I realize that there are many
people using IMP, Squirrelmail & etc. but they all rely on PHP. It is
unfortunatly a security flaw waiting to happen, kinda like BIND and
worse Sendmail. Every version is the promised no exploits version but
history is a brutal thing.
I don't even like using Apache for my proxy and am working on a
solution to dump that (since AOL doesn't appear to want to add it).
