Log File Tool Vulnerabilities04/01/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in
LogWatch, Java Web Start,
phpBB2, Posadis, Web+,
OpenLinux's Name Service Cache Daemon, SiteNews,
phprojekt, and IRIX's
- Java Web Start
- OpenLinux Name Service Cache Daemon
- Sun zlib Patches
- IRIX FTP Server
The Web server logfile analysis tool
analog has a bug that can be
used by an attacker, under some circumstances, to cause code to be executed when
analog's output is viewed by the user.
This bug is reported to be fixed in
analog version 5.22 and users
should upgrade and consider re-creating stored reports before viewing
LogWatch, a logfile reporting tool, is vulnerable to a temporary-file symbolic link race condition that can be used by a local attacker to obtain root access to the machine. RedHat Linux 7.2 is vulnerable, as it installs LogWatch and runs it in a daily job.
Users should upgrade to a repaired version and should consider disabling LogWatch until it has been upgraded. Systems that have LogWatch installed by default should remove it if it is not needed.
There is a problem with Java Web Start that can result in the application accessing restricted resources. Versions affected by this problem include Java Web Start 1.0.1_01, 1.0.1, and 1.0.
Sun recommends that affected users upgrade to Java Web Start 1.0.1_02 or the Java 2 SDK, Standard Edition, v 1.4. Java Web Start version
1.0.1_02 will restrict the use of "Java Networking Launching Protocol"
settings in unsigned applications unless the
NAME starts with
javaws, and will display "Java Web Start Window" in all
unsigned applications' windows.
libsafe library is used to provide protection against buffer-overflow-based attacks by replacing insecure function calls with a
secure version that restricts the effects of any buffer overflows. It
has been reported that
libsafe's protections can be bypassed in a
format-string-based attack by using flag characters that are used by
glibc but not
libsafe should upgrade to version 2.0-12 as soon as possible.
phpBB2, a Web-based bulletin board written using PHP, has a vulnerability that can be used by a remote attacker to execute
arbitrary code on the server, with the permissions of the user
executing the Web server. It has been reported that this vulnerability affects RC3 and CVS versions earlier than March 19th, 2002.
Users should upgrade to a CVS version dated after March 19th, 2002, or version RC4, as soon as possible.
Posadis is a small Domain Name Server written without a cache or resolving functionality but with a Web administrative interface. Posadis has a format-string bug in its logging function that may be usable by a remote attacker to execute arbitrary code with the permissions of the user that is running Posadis.
Users should upgrade to Posadis m5pre2 or newer as soon as possible.
Web+ is a development environment for Web-based client and server applications for Windows, Solaris, and Linux. Version 5.0 of Web+ has buffer overflows that can be exploited by a remote attacker to execute arbitrary code as the user executing the server.
A patch has been released by Talentsoft to fix these buffer overflows. It is recommended that users apply this patch and that Web+ (Monitoring Service and the Server) be executed by a normal user account.
It has been reported that there is a buffer overflow in the
library. No exploits have been reported for this buffer overflow.
Users should watch for an update to
The Name Service Cache Daemon
nscd will improperly return a cached PTR
record when an "A" record has been requested. Versions of OpenLinux
affected by this bug are: OpenLinux Server 3.1, OpenLinux Workstation
3.1, OpenLinux Server 3.1.1, and OpenLinux Workstation 3.1.1.
Caldera recommends that users disable the hosts cache by adding
enable-cache hosts no into
Sun has released patches that fix vulnerabilities in code based on the
zlib Compression Library. The patches fix problems in the X Window
system and in the system
libz.so.1. They are available
from sunsolve.sun.com under "Security T-patches".
SiteNews, a Web-based system for managing news written using PHP, has
a flaw that can be exploited to obtain complete control over SiteNews
news and users. This flaw is caused by the
returning an empty string for the password, allowing an attacker to send a non-existent user name and a MD5 hash of an empty string to
successfully log in.
Users should upgrade to version 0.12 or newer of SiteNews as soon as possible.
phprojekt is a Web-based content management system written in PHP.
phprojekt version 3.1a has a bug in the file manager module that can
be used by an attacker to execute arbitrary code as the user running the Web server.
It is reported that a patch has been released to fix this problem and that the scripts are being reworked to improve security and will be released soon.
The IRIX FTP server can be abused by a remote attacker in an "FTP
Bounce Attack." This attack is carried out by using the FTP
command to relay arbitrary network connections through the FTP
server. For example, the FTP server can be manipulated into
port-scanning a network.
Versions 6.5.6 and newer of IRIX FTP can be started with the
option, which prevents this attack. This option must be added to the
ftpd line in
Read more Security Alerts columns.
Return to the Linux DevCenter.