5598024 2000-10-16 07:58 /137 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13289>
Ärende: Security Update: format bug in PHP
------------------------------------------------------------
From: Caldera Support Info <sup-info@LOCUTUS4.CALDERASYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001013153724.A11501@locutus4.calderasystems.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: format bug in PHP
Advisory number: CSSA-2000-037.0
Issue date: 2000 October, 13 (Friday)
Cross reference:
______________________________________________________________________________
1. Problem Description
There's a format bug in the logging code of the mod_php3 module.
It uses apache's aplog_error function, passing user-specified
input as the format string.
This can be exploited by a remote attacker to execute arbitrary
shell commands under the HTTP server account (user httpd).
In order for this bug to be exploitable, the PHP error logging must
be enabled. By default, error logging is off.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 not vulnerable
OpenLinux eServer 2.3 All packages previous to
and OpenLinux eBuilder mod_php3-3.0.17-1S
OpenLinux eDesktop 2.4 All packages previous to
mod_php3-3.0.17-1D
3. Solution
Workaround:
In /etc/httpd/conf/php3.ini, make sure that error logging
is turned off:
log_errors = Off
The proper solution is to upgrade to the fixed packages
4. OpenLinux Desktop 2.3
not vulnerable
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
58e13e3d8d03a2578a76d5a45965b84e
RPMS/mod_php3-3.0.17-1S.i386.rpm
076cc3ebe92e8615a291a2d3b23d1532
RPMS/mod_php3-doc-3.0.17-1S.i386.rpm
102f3824f8836a838d88ffe5e10a3c5a
SRPMS/mod_php3-3.0.17-1S.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv mod_php3-*S.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
6ab0ed0a31ed245dc41e275f0b04570e
RPMS/mod_php3-3.0.17-1D.i386.rpm
1821696bfa5b169c97760796f732b6d3
RPMS/mod_php3-doc-3.0.17-1D.i386.rpm
0f0a8dd1e8d5a8bbf112715f7cd3940c
SRPMS/mod_php3-3.0.17-1D.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv mod_php3-*D.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 7720,
7721, 7939.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank Jouko Pynnönen
<jouko@solutions.fi> for finding and reporting this problem; and
the PHP team for providing
a fix and generally being very cooperative.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE55sxZ18sy83A/qfwRAoVYAJsGfCyA3qfDjUkZEGGbLVu0xC+fJACcC2yE
4uMKfTw4lymEYerSvjOpsRc=
=Msic
-----END PGP SIGNATURE-----
(5598024) ------------------------------------------(Ombruten)