ITrain Homepage

Site Directory
Membership
Train-the-Trainer
Trainer Certification
Certified Training Materials
ITinfo E-zine
Responsible Training
White Papers
Trainer Resources
What's New
Speaking Engagements
Onsite Training
ITrain Gear



Popular Links
Speaking Engagements
Training Manuals
Certification
Train the Trainer
The Training Book
Technical Writing
Privacy Policy

Print this document

Google
Web ITrain.org

PHP Fileupload Vulnerability

Serious security flaw with an easy fix

ITinfo Sponsor

ERROR: Random File Unopenable

ERROR: Random File Unopenable

The random file, as specified in the $random_file perl variable was unopenable.

The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.

CERT Finds PHP Vulnerability

by Dave Murphy
ISSN 1535-3613

Dave Murphy, ITrain founder The Computer Emergency Response Team (CERT) at Carnegie Mellon University warns of a vulnerability in the popular PHP Website scripting language which allows crackers to execute arbitrary code on the victim's Web server at the privilege level assigned to the PHP process.

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. It's often used to dynamically generate Web pages by integrating separate text files, HTML pages, and database records. At its basic level, PHP is simple to learn and comes pre-installed on many Linux distributions. PHP is used on a variety of Web servers, including Apache, Microsoft's Internet Information Server (IIS), and others.

Details of the vulnerability, which affects fileupload support affect multiple versions of the PHP program. The security hole can be plugged in one of three ways:

  1. installing a patch
  2. upgrading to PHP 4.2.1
  3. modifying the php.ini file so "file_uploads = off" (option #3 is only available to users of PHP version 4.0.3 or higher and it will disable the ability for Web site users to upload files to the server)

Dave's Opinion

I jumped on this vulnerability right away. We use PHP extensively both on our intranet and Internet Web servers to support our SQL databases and to generate dynamic Web pages, based on user preferences. This is a serious vulnerability; however, it's an easy one to fix, requiring just a few minutes to download an upgrade or patch and install it.

If you'd like to see a sample of PHP and dynamic Web pages in action, post a note to our message center or visit the ITrain job bank. Both are run using PHP with a SQL database backend that creates the HTML Web pages on the fly as they are requested.

Call for Comments

What do you think? Leave your comments on the message center.

References

CERT
PHP
ITrain Job Bank
Message Center

Subscribe to ITinfo.
Receive computing and Internet news & tips
by subscribing to the ITinfo information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Previous issues are on our website at http://itrain.org/itinfo/.

International Association of Information Technology Trainers
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987

410.567.5366
1.888.290.6200
fax: 801.650.0423
Membership Director: member@itrain.org

Return to ITrain Homepage

Copyright © 2002 International Association of Information Technology Trainers, Ltd., All Rights Reserved

http://itrain.org/itinfo/2002/it020228.html
updated February 28, 2002