Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Security Alerts: PHP Weaknesses?

07/09/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a correction to the report on the AIX rsh buffer overflow; buffer overflows in Solaris' whodo, UnixWare's su, uucp, and crontab packages, and xvt; temporary-file symbolic link race condition vulnerabilities in Red Hat's LPRng and Red Hat's crontab; problems in Poprelayd, PHP Safe mode, ePerl, 802.11b Access Points, Gnatsweb, SquirrelMail, and phpMyAdmin; and a paper on common PHP vulnerabilities.

Correction to AIX Remote Root Exploit

There is a correction to the report on the buffer overflow in AIX's rsh utility. AIX 4.2 users should not watch IBM for a patch and further information, as AIX 4.2 is out of service. Instead, they should upgrade to the latest maintenance level or upgrade to a newer version of AIX.

Poprelayd

Poprelayd, a script that allows sendmail to relay mail from users who have successfully used POP to retrieve their mail, can be manipulated through a SMTP connection to allow any remote machine to relay mail through sendmail.

A suggested workaround is to modify the script to not accept lines that contain "sendmail" or to have your POP mail daemon log under a different facility and not share the same log file with sendmail.

Solaris whodo

A buffer overflow in the set user id root Solaris whodo utility can be used by an attacker to obtain root privileges. The attack against whodo is done by overflowing one of its environmental variables.

Users should remove the set user id bits from all versions of whodo (including any 64-bit versions that may be installed), until a patch from Sun becomes available.

PHP safe_mode

Under some circumstances, a bug in the PHP mail() function call can be exploited to spawn a shell on the server with the permissions of the user executing the webserver.

Any application that depends on safe mode and utilizes the mail() function call should have code added to prevent extra parameters from being passed to the mail() function call.

Alerts this week:

Correction to AIX Remote Root Exploit

Poprelayd

Solaris whodo

PHP safe_mode

Red Hat's LPRng and tetex

ePerl

802.11b Access Points

Red Hat crontab

UnixWare Buffer Overflows

Gnatsweb

phpMyAdmin

Xvt

SquirrelMail

A Study In Scarlet - Exploiting Common Vulnerabilities in PHP

Red Hat's LPRng and tetex

There is a temporary-file symbolic link race condition in Red Hat Linux 7.0 when the tetex and LPRng packages are both installed. An attacker can use this race condition to gain additional privileges.

Users should consider removing the tetex package until a new version has been released by Red Hat.

ePerl

ePerl is used to embed Perl code inside of a HTML page. It has the functionality to safely include trusted files using a #sinclude directive. When a file is included with #sinclude, it will not parse the file and interpret any embedded Perl code, but will follow include directives and parse embedded Perl code in any additionally-included files.

Users should watch for an updated version of ePerl.

802.11b Access Points

Several 802.11b access-point devices have a vulnerability that can be used to gain unauthorized access to the Wired Equivalent Privacy (WEP) key from the wired side of the network. Having access to the WEP key allows an attacker to decrypt traffic on the wireless network. It has been reported that this vulnerability affects 3Com AirConnect Model Number AP-4111 and the Symbol 41X1 Access Point Series of access-point devices.

It is recommended that users install firmware updates to their access-point devices as soon as possible.

Red Hat crontab

It is reported that the crontab package supplied with Red Hat Linux 7.0 is vulnerable to a symbolic-link race condition attack against its temporary files.

Users should watch Red Hat for an updated crontab package.

UnixWare Buffer Overflows

The UnixWare su, uucp, and crontab packages have buffer overflows that could be used by an attacker to execute arbitrary code as the root user. These problems are reported to affect UnixWare 7.

Caldera recommends that the patches for these problems be installed as soon as possible.

Gnatsweb

Gnatsweb, the GNU bug tracking system, has a bug that could be exploited to execute arbitrary commands as the user executing the web server. The bug was introduced in Gnatsweb 2.7 beta and is reported to affect versions 2.7beta, 2.8.0, 2.8.1, 3.95, and all versions from CVS prior to Jun 26 2001 12:15 PDT.

Users should apply the appropriate patch for their version as soon as possible.

phpMyAdmin

phpMyAdmin version 2.1.0, when installed in an environment with world readable web server logs, can be exploited to execute arbitrary code with the permissions of the user executing the web server. Before an attacker can exploit this vulnerability, they must be logged into phpMyAdmin.

Access to phpMyAdmin should be restricted to authorized users and users should upgrade to version 2.2.0rc1 as soon as possible.

Xvt

Xvt, a terminal emulator similar to xterm, has buffer overflows in several command-line parameters. Due to it being normally installed set user id root, exploiting these buffer overflows would provide root level permissions on the system.

The set user id bit on xvt should be removed until a new version has been installed.

SquirrelMail

SquirrelMail is a Web mail system written in PHP. By exploiting insecure function calls in SquirrelMail, an attacker can execute arbitrary code with the permissions of the user that is executing the Web server.

It is recommended that users upgrade to a version of SquirrelMail newer than 1.0.5

A Study In Scarlet - Exploiting Common Vulnerabilities in PHP

SecureReality has released the paper "A Study In Scarlet - Exploiting Common Vulnerabilities in PHP" based on a speech by Shaun Clowes given at the Black Hat briefings from April of this year. It is a good overview of typical programming errors in PHP.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.