[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031107105625.A19864@caldera.com>
From: security at sco.com (security@....com)
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability.
To: announce@...ts.caldera.com bugtraq@...urityfocus.com full-disclosure@...ts.netsys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability.
Advisory number: CSSA-2003-SCO.30
Issue date: 2003 November 06
Cross reference: sr883606 fz528215 erg712409
______________________________________________________________________________
1. Problem Description
Perl is a high-level interpreted programming language well
known for its flexibility and ability to work with text
streams.
Obscure^ (obscure@...onsecurity.org) reported a cross site
scripting vulnerability in the CGI.pm perl module. This
module is used to facilitate the creation of web forms and
is part of the perl-modules RPM package.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 Perl distribution
OpenServer 5.0.6 Perl distribution
OpenServer 5.0.5 Perl distribution
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7
4.1 First install Maintenance Pack 1
ftp://ftp.sco.com/pub/openserver5/507/osr507mp/
4.2 Next install gxwlibs
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29
4.2 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30
4.3 Verification
MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.4 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. OpenServer 5.0.6 / OpenServer 5.0.5
5.1 First install OSS646B - Execution Environment Supplement
ftp://ftp.sco.com/pub/openserver5/oss646b
5.2 Next install gwxlibs
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29
5.3 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30
5.4 Verification
MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.5 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2
http://eyeonsecurity.org/advisories/CGI.pm/adv.html
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr883606 fz528215
erg712409.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank Obscure^ for reporting this issue.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)
iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9
LzUtvWmI6sIIeitugMgsyRg=
=2/ex
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists