From sup-info@LOCUTUS4.CALDERASYSTEMS.COM Mon Oct 16 10:01:23 2000 From: Caldera Support Info To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 13 Oct 2000 15:37:25 -0600 Subject: [BUGTRAQ] Security Update: format bug in PHP [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: format bug in PHP Advisory number: CSSA-2000-037.0 Issue date: 2000 October, 13 (Friday) Cross reference: ______________________________________________________________________________ 1. Problem Description There's a format bug in the logging code of the mod_php3 module. It uses apache's aplog_error function, passing user-specified input as the format string. This can be exploited by a remote attacker to execute arbitrary shell commands under the HTTP server account (user httpd). In order for this bug to be exploitable, the PHP error logging must be enabled. By default, error logging is off. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 not vulnerable OpenLinux eServer 2.3 All packages previous to and OpenLinux eBuilder mod_php3-3.0.17-1S OpenLinux eDesktop 2.4 All packages previous to mod_php3-3.0.17-1D 3. Solution Workaround: In /etc/httpd/conf/php3.ini, make sure that error logging is turned off: log_errors = Off The proper solution is to upgrade to the fixed packages 4. OpenLinux Desktop 2.3 not vulnerable 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification 58e13e3d8d03a2578a76d5a45965b84e RPMS/mod_php3-3.0.17-1S.i386.rpm 076cc3ebe92e8615a291a2d3b23d1532 RPMS/mod_php3-doc-3.0.17-1S.i386.rpm 102f3824f8836a838d88ffe5e10a3c5a SRPMS/mod_php3-3.0.17-1S.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv mod_php3-*S.i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 6ab0ed0a31ed245dc41e275f0b04570e RPMS/mod_php3-3.0.17-1D.i386.rpm 1821696bfa5b169c97760796f732b6d3 RPMS/mod_php3-doc-3.0.17-1D.i386.rpm 0f0a8dd1e8d5a8bbf112715f7cd3940c SRPMS/mod_php3-3.0.17-1D.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv mod_php3-*D.i386.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 7720, 7721, 7939. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 9. Acknowledgements Caldera Systems wishes to thank Jouko Pynnönen for finding and reporting this problem; and the PHP team for providing a fix and generally being very cooperative. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE55sxZ18sy83A/qfwRAoVYAJsGfCyA3qfDjUkZEGGbLVu0xC+fJACcC2yE 4uMKfTw4lymEYerSvjOpsRc= =Msic -----END PGP SIGNATURE-----