[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030304140111.A19790@sco.com>
From: security at caldera.com (security@...dera.com)
Subject: Security Update: [CSSA-2003-008.0] Linux: php bypass safe_mode and injected control chars vulnerabilities
To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: php bypass safe_mode and injected control chars vulnerabilities
Advisory number: CSSA-2003-008.0
Issue date: 2003 March 04
Cross reference:
______________________________________________________________________________
1. Problem Description
Two vulnerabilities exists in the mail() PHP function. The
first one allows execution of any program/script, bypassing the
safe_mode restriction. The second one may allow an open-relay
if the mail() function is not carefully used in PHP scripts.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to php-4.0.6-4.i386.rpm
prior to php-doc-4.0.6-4.i386.rpm
OpenLinux 3.1.1 Workstation prior to php-4.0.6-4.i386.rpm
prior to php-doc-4.0.6-4.i386.rpm
OpenLinux 3.1 Server prior to php-4.0.6-4.i386.rpm
prior to php-doc-4.0.6-4.i386.rpm
OpenLinux 3.1 Workstation prior to php-4.0.6-4.i386.rpm
prior to php-doc-4.0.6-4.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/RPMS
4.2 Packages
3305349cfaa56ff000040fbd46aad75c php-4.0.6-4.i386.rpm
59fa343b3e83a7957e98c719db572a5d php-doc-4.0.6-4.i386.rpm
4.3 Installation
rpm -Fvh php-4.0.6-4.i386.rpm
rpm -Fvh php-doc-4.0.6-4.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/SRPMS
4.5 Source Packages
729a94e120ea86a4c09acd270709bd47 php-4.0.6-4.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/RPMS
5.2 Packages
c64b972a1e97c18636bbe9767c69c542 php-4.0.6-4.i386.rpm
b84a833bc7ff1b9c1938e316c59cb0e8 php-doc-4.0.6-4.i386.rpm
5.3 Installation
rpm -Fvh php-4.0.6-4.i386.rpm
rpm -Fvh php-doc-4.0.6-4.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/SRPMS
5.5 Source Packages
80c8ef35bb4416a3799035de440150ae php-4.0.6-4.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/RPMS
6.2 Packages
9dfabdbf0ed7587128a549d49f0b159f php-4.0.6-4.i386.rpm
afbb47367cbcd3494745f18645c679e9 php-doc-4.0.6-4.i386.rpm
6.3 Installation
rpm -Fvh php-4.0.6-4.i386.rpm
rpm -Fvh php-doc-4.0.6-4.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/SRPMS
6.5 Source Packages
3702bf59800706ff708a2334b4633aad php-4.0.6-4.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/RPMS
7.2 Packages
83903709a1609108661fff65a58b439f php-4.0.6-4.i386.rpm
490332531b9d84e2216313fd0b3c8e28 php-doc-4.0.6-4.i386.rpm
7.3 Installation
rpm -Fvh php-4.0.6-4.i386.rpm
rpm -Fvh php-doc-4.0.6-4.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/SRPMS
7.5 Source Packages
243e3ed64dc55a019832710583ff461f php-4.0.6-4.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr868616, fz525966,
erg712114.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
Wojciech Purczynski <cliph@...c.pl> discovered and investigated
these vulnerabilities.
______________________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 237 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030304/8a8bede4/attachment.bin
Powered by blists - more mailing lists