oreilly.comSafari Books Online.Conferences.


Security Alerts

Log File Tool Vulnerabilities


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in analog, LogWatch, Java Web Start, libsafe, phpBB2, Posadis, Web+, libnewt, OpenLinux's Name Service Cache Daemon, SiteNews, phprojekt, and IRIX's FTP Server.


The Web server logfile analysis tool analog has a bug that can be used by an attacker, under some circumstances, to cause code to be executed when analog's output is viewed by the user.

This bug is reported to be fixed in analog version 5.22 and users should upgrade and consider re-creating stored reports before viewing them.


LogWatch, a logfile reporting tool, is vulnerable to a temporary-file symbolic link race condition that can be used by a local attacker to obtain root access to the machine. RedHat Linux 7.2 is vulnerable, as it installs LogWatch and runs it in a daily job.

Users should upgrade to a repaired version and should consider disabling LogWatch until it has been upgraded. Systems that have LogWatch installed by default should remove it if it is not needed.

Java Web Start

There is a problem with Java Web Start that can result in the application accessing restricted resources. Versions affected by this problem include Java Web Start 1.0.1_01, 1.0.1, and 1.0.

Sun recommends that affected users upgrade to Java Web Start 1.0.1_02 or the Java 2 SDK, Standard Edition, v 1.4. Java Web Start version 1.0.1_02 will restrict the use of "Java Networking Launching Protocol" settings in unsigned applications unless the NAME starts with jnlp. or javaws, and will display "Java Web Start Window" in all unsigned applications' windows.


The libsafe library is used to provide protection against buffer-overflow-based attacks by replacing insecure function calls with a secure version that restricts the effects of any buffer overflows. It has been reported that libsafe's protections can be bypassed in a format-string-based attack by using flag characters that are used by glibc but not libsafe.

Users of libsafe should upgrade to version 2.0-12 as soon as possible.


phpBB2, a Web-based bulletin board written using PHP, has a vulnerability that can be used by a remote attacker to execute arbitrary code on the server, with the permissions of the user executing the Web server. It has been reported that this vulnerability affects RC3 and CVS versions earlier than March 19th, 2002.

Users should upgrade to a CVS version dated after March 19th, 2002, or version RC4, as soon as possible.


Posadis is a small Domain Name Server written without a cache or resolving functionality but with a Web administrative interface. Posadis has a format-string bug in its logging function that may be usable by a remote attacker to execute arbitrary code with the permissions of the user that is running Posadis.

Users should upgrade to Posadis m5pre2 or newer as soon as possible.


Web+ is a development environment for Web-based client and server applications for Windows, Solaris, and Linux. Version 5.0 of Web+ has buffer overflows that can be exploited by a remote attacker to execute arbitrary code as the user executing the server.

A patch has been released by Talentsoft to fix these buffer overflows. It is recommended that users apply this patch and that Web+ (Monitoring Service and the Server) be executed by a normal user account.


It has been reported that there is a buffer overflow in the libnewt library. No exploits have been reported for this buffer overflow.

Users should watch for an update to libnewt.

OpenLinux Name Service Cache Daemon

The Name Service Cache Daemon nscd will improperly return a cached PTR record when an "A" record has been requested. Versions of OpenLinux affected by this bug are: OpenLinux Server 3.1, OpenLinux Workstation 3.1, OpenLinux Server 3.1.1, and OpenLinux Workstation 3.1.1.

Caldera recommends that users disable the hosts cache by adding enable-cache hosts no into /etc/nscd.conf.

Sun zlib Patches

Sun has released patches that fix vulnerabilities in code based on the zlib Compression Library. The patches fix problems in the X Window system and in the system zlib library They are available from under "Security T-patches".


SiteNews, a Web-based system for managing news written using PHP, has a flaw that can be exploited to obtain complete control over SiteNews news and users. This flaw is caused by the GetPassword() function returning an empty string for the password, allowing an attacker to send a non-existent user name and a MD5 hash of an empty string to successfully log in.

Users should upgrade to version 0.12 or newer of SiteNews as soon as possible.


phprojekt is a Web-based content management system written in PHP. phprojekt version 3.1a has a bug in the file manager module that can be used by an attacker to execute arbitrary code as the user running the Web server.

It is reported that a patch has been released to fix this problem and that the scripts are being reworked to improve security and will be released soon.


The IRIX FTP server can be abused by a remote attacker in an "FTP Bounce Attack." This attack is carried out by using the FTP PORT command to relay arbitrary network connections through the FTP server. For example, the FTP server can be manipulated into port-scanning a network.

Versions 6.5.6 and newer of IRIX FTP can be started with the -p option, which prevents this attack. This option must be added to the ftpd line in /etc/inetd.conf.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: