14 DAY TRIAL // Webmasters are advised to manually patch their PHP installations after a serious flaw allowing attackers to potentially delete files from their root directories was publicly disclosed.
The vulnerability lies in the "SAPI_POST_HANDLER_FUNC()" function in rfc1867.c and can be exploited to append forward or back slashes before the file name during an upload.
This allows an attacker, for example, to delete files from the root directory or can be combined with other vulnerabilities to enhance attacks.
The flaw is described as an input validation error and security bypass issue. Vulnerability research vendor Secunia rates it as "less critical."
A Polish web application developer named Krzysztof Kotowicz is credited with discovering and reporting the issue, but even though it was patched on June 12, details about the flaw have been available online since May 27.
The vulnerability, identified as CVE-2011-2202, affects PHP 5.3.6 and earlier versions. No new package has been released yet, but a patch can be grabbed from the repository and applied manually.
The vulnerability carries a CVSS base score of between 2.6 and 5 out of 10. It can be exploited remotely, does not require authentication, and has a partial impact on system integrity. System confidentiality and availability are not affected.
It's still unclear whether its access complexity should be low, as listed in an IBM XSS Force advisory, or high, as considered by the Red Hat security team.
Of course, not all websites accept "multipart/form-data" POST requests (file uploads), but given that PHP is one of the most popular web programming languages, the number of web servers potentially impacted by this flaw is huge.
No security alert has been posted on the php.net page regarding this vulnerability yet, but web servers administrators are strongly encouraged to deploy the patch on their own.