According to The Computer Emergency Response Team Coordination Center, it's a known fact that people have found multiple vulnerabilities in PHP scripts that would?give access to a remote attacker to execute arbitrary code with the privileges of the PHP process on a victim's system. A well known PHP member, Stefan Esser, has discovered it and reported to the public.

Esser said the vulnerabilities lie in the php_mime_split function, allowing an attacker to either execute arbitrary code with the privileges of the Web server or interrupt normal operations of the Web server. Besides, Esser said he found a number of bugs in various versions of PHP, including:

• PHP 3.0.10-3.0.18 -- a broken boundary check (which Esser noted is difficult to exploit) and an arbitrary heap overflow (easy to exploit
• PHP 4.0.1-4.0.3pl1 -- broken boundary check (hard to exploit) and heap off by one (easy to exploit)
• PHP 4.0.2-4.0.5 -- two broken boundary checks (one easy to exploit and one hard to exploit)
• PHP 4.0.6-4.0.7RC2 -- broken boundary check (very easy to exploit)
• PHP 4.0.7RC3-4.1.1 -- broken boundary check (hard to exploit).

Esser noted that most of the vulnerabilities are exploitable only on Linux or Solaris, but said the "heap off by one" flaw is only exploitable on x86 architecture and the "arbitrary heap overflow" in PHP3 is exploitable on most operating systems and architectures, including *BSD.

PHP users can get around the flaws by upgrading to PHP version 4.1.2. If upgrading is not possible, patches for older versions are available here.

Users of version 4.20-dev are not vulnerable to the bugs because the fileupload code was completely rewritten for that branch.

If neither upgrading nor applying a patch is possible, PHP users can avoid the vulnerabilities by disabling fileupload support. To accomplish this, edit the PHP configuration file php.ini to "file_uploads = off." This setting only applies to version 4.0.3 and above, and will prevent users from using fileuploads.

source: internetnews.com