[UNIX] Chuid Found to Contain Two Security Holes ('..', overwriting)
From: support@securiteam.comDate: 01/23/02
- Previous message: support@securiteam.com: "[NT] The "Lunch Break Hole" (Missed Event Log)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 23 Jan 2002 23:55:06 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Chuid Found to Contain Two Security Holes ('..', overwriting)
------------------------------------------------------------------------
SUMMARY
<http://srparish.net/scripts/> Chuid is a small program to solve a
problem created by PHP's safe_mode, which makes it so that non-webserver
owned PHP scripts can't accept file uploads. It solves this dilemma by
allowing files in a compile time specified upload directory to be re-owned
by an arbitrary user, thus allowing PHP scripts to make use of uploaded
files. Two serious security vulnerabilities have been found in the
product.
DETAILS
Vulnerable systems:
Chuid version 1.2 and below
Immune systems:
Chuid version 1.3 and above
Chuid contained two fatal bugs, the first allowing a user to change the
UID of files outside of the designated upload directory by using '..', the
second allowing a user to change root owned files as well as web server
owned files. These two vulnerabilities would allow an attacker to
compromise the remote host.
Solution:
Upgrading to the latest version solves these issues.
ADDITIONAL INFORMATION
The information has been provided by Roman Ivanov and
<mailto:srp@srparish.net> Scott Parish.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] The "Lunch Break Hole" (Missed Event Log)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
