oreilly.comSafari Books Online.Conferences.


Security Alerts

Buffer Overflows in PHP Forms and mod_ssl


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a remote exploit against PHP; buffer overflows in mod_ssl, Apache-SSL, Chinput, the Cryptographic File System daemon, and xtell; and problems in Oracle, netfilter's IRC DCC connection module, BRU, User Mode Linux, Xoops, KICQ, SphereServer, and Open UNIX's and UnixWare's webtop.

PHP Problems

The PHP functions that deal with multipart/form-data POST requests have buffer overflows that can be used by a remote attacker to execute arbitrary code with the permissions of the user executing PHP. Versions 3.x and 4.x of PHP are reported to be vulnerable. The 4.20-dev branch of the PHP code available by CVS is not vulnerable.

It is recommended that users upgrade to version 4.1.2 or newer of PHP as soon as possible. A possible work around for this problem is to edit the php.ini file and set file_uploads to off.

mod_ssl and Apache-SSL

mod_ssl, a module that provides SSL (Secure Socket Layer) for the Apache Web server, has a buffer overflow, in the session-caching code that uses dbm and shared memory, that may be exploitable using a large client certification.

Apache-SSL is also vulnerable to this buffer overflow. All versions of Apache-SSL prior to version 1.3.22+1.46 are reported to be vulnerable.

Users should upgrade mod_ssl to version 2.8.7-1.3.23 or newer and Apache-SSL to version 1.3.22+1.46 or newer as soon as possible.

Oracle Remote Compromise

Oracle 8 and 9 systems are vulnerable to a remote attack that can be used to execute any PL/SQL function in any library without a user ID or password.

If PL/SQL functionality is not needed, users should consider disabling it by removing the proper entries from tnsnames.ora and listener.ora. It is also recommended that the Oracle server be placed behind a firewall, configured to not allow unauthorized connections to the listener, and that users watch Oracle for an update for this problem.

IRC DCC Connection Tracking Helper Kernel Module

The netfilter system in Linux kernels version 2.4.14 and later have a IRC DCC connection tracking helper module that helps with outgoing IRC DCC send requests. There is a problem in this module that can be exploited, under some circumstances, by a remote attacker to make a single connection from the outside network to the port specified in the IRC DCC request on any host inside the protected network.

It is recommended that all affected users upgrade their Linux kernel to version 2.4.18-pre9 or newer or apply the available patches.


BRU is a system backup and restoration application designed to work with any backup device or file system. Some of the shell scripts provided with BRU are vulnerable to temporary-file symbolic-link race condition attacks that can be used by a local attacker to overwrite arbitrary files on the file system with the permissions of the user executing BRU (in many cases, root).

Users should watch for an update to BRU.


Xoops, a open source Web-based portal written in PHP with a MySQL back end, is vulnerable to a cross-site scripting attack in the Private Message System that can be used to execute arbitrary JavaScript in other users' browsers, and a vulnerability that can be used to execute arbitrary SQL commands.

Users of Xoops should watch for an updated version.


Chinput is a Chinese input server that supports the XIM (X Input Method) protocol and a custom protocol. It has a buffer overflow that may be exploitable to gain root permissions.

Affected users should watch for an update to Chinput and should consider disabling it until it has been patched.

User Mode Linux

A bug in User Mode Linux can be used to break out of the "box" even if the jail option is activated.

It is recommended that User Mode Linux be executed with chroot, without root permissions or other special permissions.


KICQ, an IRC client for the KDE desktop, is vulnerable to a denial-of-service attack.

Users should watch their vendor for an updated version.

Related Reading

Web Security, Privacy & Commerce
By Simson Garfinkel

Cryptographic File System

Several buffer overflows in the Cryptographic File System daemon cfsd can be used to crash the daemon in a denial-of-service attack and may be exploitable to execute arbitrary code as root.

Debian has released fixed versions: 1.3.3-8.1 for Debian Stable and 1.4.1-5 for the testing and unstable versions of Debian. Users of other Linux distributions should watch their vendor for an update.


SphereServer is a Ultima Online role-playing server for Linux, FreeBSD, and Win32. A flaw in SphereServer can be exploited to hold all available connections and deny service to other users.

Users should watch MenaSoft for a fix for this problem.


xtell, a network-enabled tell client, is vulnerable to buffer overflows and other problems that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running xtell. A script has been released that automates a remote exploit against xtell. It has been reported that xtell is vulnerable through version 2.6.1.

It is recommended that users upgrade xtell to version 2.7 or disable it as soon as possible.

Open UNIX and UnixWare webtop

The webtop application distributed with Open Unix 8.0.0 and UnixWare 7 contains set user id root scripts that, according to Caldera, "may be used to gain root privileges."

Caldera recommends that users remove the set user id bits from the scripts:

  • /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi and
  • /opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi

if webtop is not needed. If webtop is needed, Caldera recommends that the binaries be replaced.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: