PHP Post File Upload Buffer Overflow Vulnerabilities

The vendor has addressed this issue in PHP 4.1.2, affected users are advised to upgrade to the most recent version. In addition to upgrading to the most recent version of Apache.

PHP has created patches for the Post File Upload Buffer Overflow vulnerabilities. Users should apply the appropriate patch as follows:

For PHP 4.x (Apply patch in php-4.x.x/main)
For PHP 3.x (Apply patch in 3.0.x/functions)

Current versions of PHP and patches are available for download from:

This vulnerability does not affect PHP version 4.2.0-dev.

HP advises Secure OS 1.0 users to apply the available Red Hat fixes.

Conectiva has released an advisory (CLA-2002:545) which contains fixes for this issue. Please see the attached advisory for further details on obtaining fixes. The fixes released for Conectiva Linux 7.0 in advisory CLSA-2002:468 did not properly address this issue in the PHP3 packages. The new advisory contains the correct PHP3 packages for Conectiva Linux 7.0.

It has been reported that Kasenna has released fixes to address this issue, identified in support issues 1095 and 1330.

SGI has identified vulnerable optional Kasenna software. More information is available in SGI advisory 20030502-01-I.

Fixes are available:

PHP PHP 3.0 .13

PHP PHP 3.0 .11

PHP PHP 3.0 .10

PHP PHP 3.0 .12

PHP PHP 3.0 .16

PHP PHP 3.0.14

PHP PHP 3.0.15

PHP PHP 3.0.17

PHP PHP 3.0.18

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.1 pl1

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.4

PHP PHP 4.0.5

PHP PHP 4.0.6

PHP PHP 4.0.7 RC2

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC3

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.1.1


Privacy Statement
Copyright 2010, SecurityFocus