[Full-Disclosure] Security Update: [CSSA-2003-008.0] Linux: php bypass safe_mode and injected control chars vulnerabilities

From: security@caldera.com
Date: 03/04/03

  • Next message: diacetyl@hushmail.com: "[Full-Disclosure] SSH/OPENSSH HOLE ALL VERSIONS."
    To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com, full-disclosure@lists.netsys.com
    From: security@caldera.com
    Date: Tue, 4 Mar 2003 14:01:11 -0800
    

    To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: Linux: php bypass safe_mode and injected control chars vulnerabilities
    Advisory number: CSSA-2003-008.0
    Issue date: 2003 March 04
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

            Two vulnerabilities exists in the mail() PHP function. The
            first one allows execution of any program/script, bypassing the
            safe_mode restriction. The second one may allow an open-relay
            if the mail() function is not carefully used in PHP scripts.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------

            OpenLinux 3.1.1 Server prior to php-4.0.6-4.i386.rpm
                                            prior to php-doc-4.0.6-4.i386.rpm

            OpenLinux 3.1.1 Workstation prior to php-4.0.6-4.i386.rpm
                                            prior to php-doc-4.0.6-4.i386.rpm

            OpenLinux 3.1 Server prior to php-4.0.6-4.i386.rpm
                                            prior to php-doc-4.0.6-4.i386.rpm

            OpenLinux 3.1 Workstation prior to php-4.0.6-4.i386.rpm
                                            prior to php-doc-4.0.6-4.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Many
            customers find it easier to use the Caldera System Updater, called
            cupdate (or kcupdate under the KDE environment), to update these
            packages rather than downloading and installing them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/RPMS

            4.2 Packages

            3305349cfaa56ff000040fbd46aad75c php-4.0.6-4.i386.rpm
            59fa343b3e83a7957e98c719db572a5d php-doc-4.0.6-4.i386.rpm

            4.3 Installation

            rpm -Fvh php-4.0.6-4.i386.rpm
            rpm -Fvh php-doc-4.0.6-4.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/SRPMS

            4.5 Source Packages

            729a94e120ea86a4c09acd270709bd47 php-4.0.6-4.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/RPMS

            5.2 Packages

            c64b972a1e97c18636bbe9767c69c542 php-4.0.6-4.i386.rpm
            b84a833bc7ff1b9c1938e316c59cb0e8 php-doc-4.0.6-4.i386.rpm

            5.3 Installation

            rpm -Fvh php-4.0.6-4.i386.rpm
            rpm -Fvh php-doc-4.0.6-4.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/SRPMS

            5.5 Source Packages

            80c8ef35bb4416a3799035de440150ae php-4.0.6-4.src.rpm

    6. OpenLinux 3.1 Server

            6.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/RPMS

            6.2 Packages

            9dfabdbf0ed7587128a549d49f0b159f php-4.0.6-4.i386.rpm
            afbb47367cbcd3494745f18645c679e9 php-doc-4.0.6-4.i386.rpm

            6.3 Installation

            rpm -Fvh php-4.0.6-4.i386.rpm
            rpm -Fvh php-doc-4.0.6-4.i386.rpm

            6.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/SRPMS

            6.5 Source Packages

            3702bf59800706ff708a2334b4633aad php-4.0.6-4.src.rpm

    7. OpenLinux 3.1 Workstation

            7.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/RPMS

            7.2 Packages

            83903709a1609108661fff65a58b439f php-4.0.6-4.i386.rpm
            490332531b9d84e2216313fd0b3c8e28 php-doc-4.0.6-4.i386.rpm

            7.3 Installation

            rpm -Fvh php-4.0.6-4.i386.rpm
            rpm -Fvh php-doc-4.0.6-4.i386.rpm

            7.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/SRPMS

            7.5 Source Packages

            243e3ed64dc55a019832710583ff461f php-4.0.6-4.src.rpm

    8. References

            Specific references for this advisory:

                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985

            SCO security resources:

                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr868616, fz525966,
            erg712114.

    9. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    10. Acknowledgements

            Wojciech Purczynski <cliph@isec.pl> discovered and investigated
            these vulnerabilities.

    ______________________________________________________________________________

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: diacetyl@hushmail.com: "[Full-Disclosure] SSH/OPENSSH HOLE ALL VERSIONS."