Security Alerts: PHP Weaknesses?07/09/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a correction to the report on the AIX
rsh buffer overflow; buffer overflows in Solaris'
crontab packages, and
xvt; temporary-file symbolic link race condition vulnerabilities in Red Hat's LPRng and Red Hat's
crontab; problems in Poprelayd, PHP Safe mode, ePerl, 802.11b Access Points, Gnatsweb, SquirrelMail, and phpMyAdmin; and a paper on common PHP vulnerabilities.
There is a correction to the report on the buffer overflow in AIX's
rsh utility. AIX 4.2 users should not watch IBM for a patch and further information, as AIX 4.2 is out of service. Instead, they should upgrade to the latest maintenance level or upgrade to a newer version of AIX.
Poprelayd, a script that allows sendmail to relay mail from users who have successfully used POP to retrieve their mail, can be manipulated through a SMTP connection to allow any remote machine to relay mail through sendmail.
A suggested workaround is to modify the script to not accept lines that contain "sendmail" or to have your POP mail daemon log under a different facility and not share the same log file with sendmail.
A buffer overflow in the set user id root Solaris
whodo utility can be used by an attacker to obtain root privileges. The attack against
whodo is done by overflowing one of its environmental variables.
Users should remove the set user id bits from all versions of
whodo (including any 64-bit versions that may be installed), until a patch from Sun becomes available.
Under some circumstances, a bug in the PHP
mail() function call can be exploited to spawn a shell on the server with the permissions of the user executing the webserver.
Any application that depends on safe mode and utilizes the
mail() function call should have code added to prevent extra parameters from being passed to the
mail() function call.
Alerts this week:
There is a temporary-file symbolic link race condition in Red Hat Linux 7.0 when the
tetex and LPRng packages are both installed. An attacker can use this race condition to gain additional privileges.
Users should consider removing the
tetex package until a new version has been released by Red Hat.
ePerl is used to embed Perl code inside of a HTML page. It has the functionality to safely include trusted files using a
#sinclude directive. When a file is included with
#sinclude, it will not parse the file and interpret any embedded Perl code, but will follow include directives and parse embedded Perl code in any additionally-included files.
Users should watch for an updated version of ePerl.
Several 802.11b access-point devices have a vulnerability that can be used to gain unauthorized access to the Wired Equivalent Privacy (WEP) key from the wired side of the network. Having access to the WEP key allows an attacker to decrypt traffic on the wireless network. It has been reported that this vulnerability affects 3Com AirConnect Model Number AP-4111 and the Symbol 41X1 Access Point Series of access-point devices.
It is recommended that users install firmware updates to their access-point devices as soon as possible.
It is reported that the
crontab package supplied with Red Hat Linux 7.0 is vulnerable to a symbolic-link race condition attack against its temporary files.
Users should watch Red Hat for an updated
crontab packages have buffer overflows that could be used by an attacker to execute arbitrary code as the root user. These problems are reported to affect UnixWare 7.
Caldera recommends that the patches for these problems be installed as soon as possible.
Gnatsweb, the GNU bug tracking system, has a bug that could be exploited to execute arbitrary commands as the user executing the web server. The bug was introduced in Gnatsweb 2.7 beta and is reported to affect versions 2.7beta, 2.8.0, 2.8.1, 3.95, and all versions from CVS prior to Jun 26 2001 12:15 PDT.
Users should apply the appropriate patch for their version as soon as possible.
phpMyAdmin version 2.1.0, when installed in an environment with world readable web server logs, can be exploited to execute arbitrary code with the permissions of the user executing the web server. Before an attacker can exploit this vulnerability, they must be logged into phpMyAdmin.
Access to phpMyAdmin should be restricted to authorized users and users should upgrade to version 2.2.0rc1 as soon as possible.
Xvt, a terminal emulator similar to
xterm, has buffer overflows in several command-line parameters. Due to it being normally installed set user id root, exploiting these buffer overflows would provide root level permissions on the system.
The set user id bit on
xvt should be removed until a new version has been installed.
SquirrelMail is a Web mail system written in PHP. By exploiting insecure function calls in SquirrelMail, an attacker can execute arbitrary code with the permissions of the user that is executing the Web server.
It is recommended that users upgrade to a version of SquirrelMail newer than 1.0.5
SecureReality has released the paper "A Study In Scarlet - Exploiting Common Vulnerabilities in PHP" based on a speech by Shaun Clowes given at the Black Hat briefings from April of this year. It is a good overview of typical programming errors in PHP.
Read more Security Alerts columns.
Return to the Linux DevCenter.