ที่มา http://www.internetnews.com/security/article.php/3494541
PHP Team Patches DoS Bugs
By Jim Wagner
April 1, 2005
The PHP Development Team released updates to the PHP 4 and 5 code base, fixing two security vulnerabilities that open the door to Denial-of-Service (DoS) attacks Wednesday.
PHP is a popular open source scripting language used by Web developers. In February, an anonymous researcher discovered that two functions that handle images uploads used within PHP 4 and 5 (php_handle_iff and php_handle_jpeg) could be manipulated to create infinite loops in the program.
The infinite loop, in turn, consumes 100 percent of the system’s CPU and crashes the system. Both vulnerabilities require the attacker to upload a malicious image to the getimagesize() routine and affects PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. The routine is used to determine the size and dimensions of image file formats like GIF, JPEG and TIFF.
At risk are sites running PHP that allow users to upload images to the Web server, like photo blogs or wikis. Michael Sutton, director of iDefense labs, said the vulnerabilities aren’t considered critical bugs because they only bring down the system; the bugs won’t allow a malicious hacker to take over the Web server.
“It’s reasonably significant in that you’re taking out a Web server and denying other people access to it, but the thing that makes it not critical is that you can’t execute any code on that server,” he said.
Officials at iDefense said there is no known workaround for the vulnerabilities at this time, outside downloading and updating the PHP code. Maintainers of the PHP.net Web site, say developers, are “strongly encouraged” to upgrade to PHP 4.3.11 and 5.0.4.
The php_handle_iff() bug is caused when a user-defined file-stream size and size variable are set to negating values, 8 and -8 for example.
Insufficient validation of JPEG image file headers led to the vulnerability in the php_handle_jpeg() function. The vulnerability can be exploited if an invalid marker is sent in the stream through the php_next_marker() function, causing the function to point to two bytes of the file when it is returned to php_handle_jpeg() for loop.
Developers can download PHP 4.3.11 and 5.0.4 at the PHP.net download site.