oreilly.comSafari Books Online.Conferences.


Security Alerts Lotus Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Lotus Notes for Linux, tcpdump, mod_perl, kdepim, honeyd, NetWorker, NetPBM, jabber, mc, and Mambo Open Source.

Lotus Notes for Linux

Lotus Notes for Linux has a vulnerability that can be exploited by a local attacker to change its configuration and gain unauthorized access to files. During the installation of Lotus Notes for Linux, the configuration file notesdata/notes.ini is installed world-readable and -writable. This vulnerability is reported to affect Lotus Notes 6.0.2 for Linux.

Users should modify the permissions on the notesdata/notes.ini file so that only authorized users may write to it.


The network sniffer tcpdump is vulnerable to several buffer overflows that can be exploited, under some conditions, by a remote attacker to execute arbitrary code with root permissions, or to crash tcpdump and cause network activity to not be recorded. The buffer overflows are reported to be in code that handles ISAKMP packets and in the L2TP protocol parser. These buffer overflows are reported to affect versions of tcpdump through version 3.8.1.

Affected users should watch their vendors for a repaired version of tcpdump. Guardian Digital has released repaired packages for EnGarde Secure Community 1.0.1 and 2 and for EnGarde Secure Professional 1.1, 1.2, and 1.5.

Apache mod_perl

The mod_perl Apache module is reported to have a vulnerability whereby any user who can have Perl code interpreted by mod_perl can exploit to gain control of the HTTPS port (port number 443) or the standard web port (normally 80) and emulate the web server. The problem is caused by the file descriptor being leaked to Perl processes that can then pass the file descriptor to an external program or script. A script to automate the exploitation of this problem has been released to the public.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

There was a good amount of discussion about this vulnerability; one side wrote that mod_perl is a trusted Apache module that has access to Apache's file descriptors and could not be locked down tight enough to make any difference The other side wrote that while mod_perl may have access as a trusted Apache module, the Perl code that it interprets should not have the same level of access.

Anyone who uses an Apache module to interpret end-user scripts should keep in mind that the user may have more access to the system than they would appear to have (or should have) and should watch their vendors for an updated version of Apache's mod_perl, which, regardless of the debate (and its effectiveness), will almost certainly be released soon.


The honeypot daemon honeyd is used to create fake virtual hosts on a network using unused IP addresses. Under some conditions, a bug can cause honeyd to set both the SYN and RST flags on network packets. This bug can be used by a remote attacker to identify a host found in a scan as a fake host generated by honeyd.

It is recommended that users upgrade to honeyd version 0.8. This new version can also be configured to drop root permissions when it starts.


kdepim, a collection of personal information management tools distributed with KDE, contains a buffer overflow in the code that reads .VCF files. A carefully crafted .VCF file could be used by an attacker to execute code with the user's permissions when the user previews or reads the attacker's file. This buffer overflow is reported to affect all versions of kdepim distributed with KDE versions 3.1.0 through 3.1.4.

Users should upgrade to KDE version 3.1.5 or apply the appropriate patch for KDE 3.1.4. A possible workaround is to remove the kfile_vcf.desktop file.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


It has been reported that the backup system NetWorker is vulnerable to a symbolic-link-race-condition-based attack that can be used to overwrite arbitrary files on the system with the permission of the user running NetWorker (usually root). The report states that the nsr_shutdown script distributed with NetWorker 6.0 uses the /tmp directory in an unsafe manner.

Affected users should contact their vendors for a repaired version of NetWorker.


NetPBM is a toolkit for manipulation of graphic images that is made up of many single-purpose utilities. Many of these utilities are vulnerable to a temporary-file symbolic link race condition that can be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the user executing the utility.

Users should watch their vendors for a repaired version.


jabber, an instant messaging system, has a bug in the code in the server that can cause jabber to crash while handling SSL connections causing a denial of service.

Debian and Mandrake have released repaired versions of jabber. Users of other distributions should watch for repaired or updated versions.


mc (Midnight Commander) is vulnerable to an attack that uses a carefully constructed archive file (for example, a .tar file) to cause arbitrary code to be executed when a user opens the archive file using mc.

Affected users should watch their vendors for a repaired version. Debian has released a repaired version of mc for woody and sid. Red Hat has released repaired packages for Red Hat Linux 9.

Mambo Open Source

Mambo Open Source, an open source web-based content management system written using PHP and MySQL, has a bug in ./modules/mod_mainmenu.php that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. This bug is reported to affect version 4.6 and earlier.

Users should watch for a patch to repair this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: