Spacer Sidebar Directory Map

The Training Book, the handbook for trainers

The Training Book, the handbook for trainers

 

ITrain - International Association of Information Technology Trainers

PHP Fileupload Vulnerability

Serious security flaw with an easy fix

ITINFO Sponsor

ITrain Certified Software Learning Guides

Instructor-led training materials for all popular software applications.

Printed and electronic formats with plenty of hands-on exercises.
Sample guides available online.
Members in good standing automatically receive a 15% discount.

books@itrain.org
Certified Software Learning Guides

Internet Poll
Have you attended a seminar via e-learning?
yes
no

poll archive

CERT Finds PHP Vulnerability

by Dave Murphy
ISSN 1535-3613

Dave Murphy, DGL President & ITrain founder The Computer Emergency Response Team (CERT) at Carnegie Mellon University warns of a vulnerability in the popular PHP Website scripting language which allows crackers to execute arbitrary code on the victim's Web server at the privilege level assigned to the PHP process.

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. It's often used to dynamically generate Web pages by integrating separate text files, HTML pages, and database records. At its basic level, PHP is simple to learn and comes pre-installed on many Linux distributions. PHP is used on a variety of Web servers, including Apache, Microsoft's Internet Information Server (IIS), and others.

Details of the vulnerability, which affects fileupload support affect multiple versions of the PHP program. The security hole can be plugged in one of three ways:

  1. installing a patch
  2. upgrading to PHP 4.2.1
  3. modifying the php.ini file so "file_uploads = off" (option #3 is only available to users of PHP version 4.0.3 or higher and it will disable the ability for Web site users to upload files to the server)

Dave's Opinion

I jumped on this vulnerability right away. We use PHP extensively both on our intranet and Internet Web servers to support our SQL databases and to generate dynamic Web pages, based on user preferences. This is a serious vulnerability; however, it's an easy one to fix, requiring just a few minutes to download an upgrade or patch and install it.

If you'd like to see a sample of PHP and dynamic Web pages in action, post a note to our message center or visit the ITrain job bank. Both are run using PHP with a SQL database backend that creates the HTML Web pages on the fly as they are requested.

Call for Comments

What do you think? Leave your comments on the message center.

References

CERT
PHP
ITrain Job Bank
Message Center

Subscribe to ITINFO.
Receive computing and Internet news & tips
by subscribing to the ITINFO information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at http://dgl.com/itinfo/.

updated February 28, 2002
http://dgl.com/itinfo/2002/it020228.html

Return to DGL homepage
Copyright © 2002, Damar Group, Ltd., All Rights Reserved