The PHP form-data POST handler is susceptible to a malicious POST request that can trigger an error condition which, depending on your hardware, can crash the machine or provide for remote exploitation.

On an Intel x86 machine an attacker has no control over memory allocation/recovery and can only cause a denial of service; on a Sparc/Solaris machine an attacker would be able to free chunks of memory and overwrite them arbitrarily to run code.

PHP versions 4.2.0 and 4.2.1 are vulnerable. The PHP Group has released both a fixed version and patches, including binaries for Windows, available for download here.

If immediate tinkering proves inconvenient, the team recommends a temporary workaround of denying POST requests on any affected servers.

The issue was discovered by Stefan Esser of eMatters Security. ®