<plugin_id>247</plugin_id>
<plugin_name>PHP prior 5.0.2 rfc1867.c file upload</plugin_name>
<plugin_family>CGI</plugin_family>
<plugin_created_date>2004/09/20</plugin_created_date>
<plugin_created_name>Marc Ruef</plugin_created_name>
<plugin_created_email>marc dot ruef at computec dot ch</plugin_created_email>
<plugin_created_web>http://www.computec.ch</plugin_created_web>
<plugin_created_company>computec.ch</plugin_created_company>
<plugin_updated_name>Marc Ruef</plugin_updated_name>
<plugin_updated_email>marc dot ruef at computec dot ch</plugin_updated_email>
<plugin_updated_web>http://www.computec.ch</plugin_updated_web>
<plugin_updated_company>computec.ch</plugin_updated_company>
<plugin_updated_date>2004/11/14</plugin_updated_date>
<plugin_version>2.0</plugin_version>
<plugin_changelog>Corrected the plugin structure and added the accuracy values in 1.1. Improved the pattern matching and introduced the plugin changelog in 2.0</plugin_changelog>
<plugin_protocol>tcp</plugin_protocol>
<plugin_port>80</plugin_port>
<plugin_procedure_detection>open|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ### *PHP/[0-4].* OR HTTP/#.# ### *PHP/5.0.[0-2]*</plugin_procedure_detection>
<plugin_detection_accuracy>80</plugin_detection_accuracy>
<plugin_comment>Check is inspired by the Nessus plugin.</plugin_comment>
<bug_published_name>Stefano Di Paola</bug_published_name>
<bug_published_email>stefano dot dipaola at wisec dot it</bug_published_email>
<bug_published_web>http://www.wisec.it</bug_published_web>
<bug_published_company>wisec.it</bug_published_company>
<bug_published_date>2004/09/15</bug_published_date>
<bug_advisory>http://www.securityfocus.com/archive/1/375370</bug_advisory>
<bug_affected>PHP prior 5.0.2</bug_affected>
<bug_not_affected>PHP 5.0.2 and newer or other solutions (e.g. CGI or ASP)</bug_not_affected>
<bug_vulnerability_class>Configuration</bug_vulnerability_class>
<bug_description>The remote system is running a web server with PHP prior 5.0.2. These old versions are vulnerable to a unspecified vulnerability in rfc1867.c that could allow a remote attacker to upload files.</bug_description>
<bug_solution>If the web server is not used it should be de-installed or de-activated. Install the newest patch or bugfix to solve the problem or upgrade to the latest software version which is not vulnerable anymore. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 8081). Alternation of the application banner can confuse an attacker and let him determine the wrong software. Additionally limit unwanted connections and communications with firewalling.</bug_solution>
<bug_fixing_time>Approx. 45 minutes</bug_fixing_time>
<bug_exploit_availability>Maybe</bug_exploit_availability>
<bug_exploit_url>http://www.securityfocus.com/bid/11038/exploit/</bug_exploit_url>
<bug_remote>Yes</bug_remote>
<bug_local>Yes</bug_local>
<bug_severity>Medium</bug_severity>
<bug_popularity>6</bug_popularity>
<bug_simplicity>6</bug_simplicity>
<bug_impact>8</bug_impact>
<bug_risk>7</bug_risk>
<bug_nessus_risk>Medium</bug_nessus_risk>
<bug_check_tool>Nessus is able to do the same check. A proof-of-concept exploit may be available as like Di Paola writes in his Bugtraq posting: "I don't know if releasing a POC for this vuln is a good thing because php is used widely in the net... so if you are interested feel free to contact me." It seems to be just a matter of time when the exploit is available for the public.</bug_check_tool>
<source_securityfocus_bid>11190</source_securityfocus_bid>
<source_nessus_id>14770</source_nessus_id>
<source_literature>Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427</source_literature>
<source_misc>http://viewcvs.php.net/viewcvs.cgi/php-src/NEWS.diff?r1=1.1247.2.724&r2=1.1247.2.726</source_misc>