Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at an injection attack against PHP; several problems in KDE and Konqueror; buffer overflows in
kadmin, multiple applications in Tru64, and Ethereal; and problems in
scrollkeeper, and the Cisco VPN Client.
The PHP scripting language has CR/LF injection attack vulnerabilities that can be exploited to add additional HTTP headers to a query. Under some circumstances, these vulnerabilities can be used to open arbitrary Internet connections.
Users should watch for an update to PHP that repairs this problem. One
possible workaround that will reduce some of the functionality of PHP
on a server is to set
off in php.ini.
Several problems have been reported that affect either KDE or the Konqueror Web browser. These include:
A patch has been released for
kdelibs for KDE 3.0.3 and 2.2.2 that
repairs the cross-site scripting vulnerability in Konqueror. Users should upgrade to
kdelibs-3.0.3a or apply the patches.
Under some conditions, Konqueror will send a cookie in the clear that should be encrypted. This is caused by Konqueror not properly recognizing the secure cookie flag. This problem appears to affect Konqueror browsers in versions of Konqueror distributed with KDE 3.0, 3.0.1, and 3.0.2.
It is recommended that users upgrade to KDE version 3.0.3 or apply the patches available for KDE versions 3.0, 3.0.1, and 3.0.2.
A problem in the implementation of SSL under KDE can result in an invalid certificate being accepted as proper, and lead to man-in-the-middle-style attacks on SSL-enabled KDE software.
Users should upgrade to KDE 3.0.3 or apply a patch to
available for KDE 2.2.2. After upgrading
kdelibs, KDE must be
restarted so that the change can take effect.
The AOL instant messenger client
gaim has a buffer overflow and a vulnerability in code that handles URLs. These vulnerabilities could
lead to arbitrary execution of code on the machine running
Versions earlier than 0.58 are reported to be vulnerable.
Users should upgrade to version 0.58 or newer as soon as possible.
cacti, a Web-based front end for
rrdtool written using PHP, is vulnerable to an attack that can be used to execute arbitrary code on
the server with the permissions of the user running the Web server. It has been reported that this vulnerability can only be exploited by
cacti users with administrator privileges.
It is recommended that users upgrade to a repaired version as soon as possible.
It has been reported that there is a buffer overflow in Kerberos 5 that may be exploitable by a remote attacker to execute arbitrary code on the server with, in many cases, root permissions. It is thought that
an attacker must be able to log in to
kadmin prior to executing their
Affected users should upgrade to a repaired package as soon as possible. Mandrake has released an updated package that repairs this problem.
Cross-site-scripting-style attacks have been found against the mail-to-HTML converter
mhonarc. These attacks could be used to steal cookies
and execute arbitrary code in a user's Web browser.
Users should upgrade to
mhonarc version 2.5.3.
wordtrans, a package used to search multi-lingual dictionaries using a
Web browser, has problems that can be used to execute arbitrary code
as the Web server user and used in a cross-site scripting attack. It
has been reported that these problems affect versions of
It is recommended that users install a repaired version as soon as possible. Red Hat has released an updated package for Red Hat Linux 7.3.
The Ethereal network sniffer is vulnerable to a buffer overflow that can be exploited by a remote attacker by the creation of a specially-crafted network packet.
This vulnerability is reported to only result in a denial of service against Ethereal, but as network sniffers normally are run with root permissions and many vulnerabilities are reported to be a denial-of-service attack and later turn out to be of much greater risk, it is recommended that this vulnerability and others like it be treated as if it were a remote root hole.
Users should upgrade to a repaired version as soon as possible and should consider disabling Ethereal until it has been upgraded.
The Cisco VPN Client is used to set up a secure connection to a remote network. Multiple vulnerabilities have been found that can be exploited in a denial-of-service attack, to leak information about the client, to disclose the group password, and used in a man-in-the-middle attack.
It is recommended that users contact Cisco for details on these vulnerabilities and for patches to repair them.
scrollkeeper-get-cl utility is vulnerable to a symbolic-link race
condition that can be exploited by a local attacker to overwrite files
writable by the user running
is executed when a Gnome session is started.
Affected users should upgrade
scrollkeeper as soon as possible.
It has been reported that multiple buffer overflows are present in applications distributed with Tru64. The reported applications
su. Tru64 is shipped with a non-exec stack that is designed to protect against buffer overflow attacks, but it has
been reported that this can be bypassed and that, under some conditions,
the vulnerable applications can be exploited to gain additional
Users should contact Compaq for a resolution to these problems.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.