[Full-Disclosure] Security Update: [CSSA-2003-008.0] Linux: php bypass safe_mode and injected control chars vulnerabilities

From: securityat_private
Date: Tue Mar 04 2003 - 14:01:11 PST

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:042-07] Updated squirrelmail packages close cross-site scripting vulnerabilities"

Previous message: auto40951at_private: "uploader.php script"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqat_private announceat_private security-alertsat_private full-disclosureat_private

______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: php bypass safe_mode and injected control chars vulnerabilities
Advisory number: 	CSSA-2003-008.0
Issue date: 		2003 March 04
Cross reference:
______________________________________________________________________________


1. Problem Description

	Two vulnerabilities exists in the mail() PHP function. The
	first one allows execution of any program/script, bypassing the
	safe_mode restriction. The second one may allow an open-relay
	if the mail() function is not carefully used in PHP scripts.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to php-4.0.6-4.i386.rpm
					prior to php-doc-4.0.6-4.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to php-4.0.6-4.i386.rpm
					prior to php-doc-4.0.6-4.i386.rpm

	OpenLinux 3.1 Server		prior to php-4.0.6-4.i386.rpm
					prior to php-doc-4.0.6-4.i386.rpm

	OpenLinux 3.1 Workstation	prior to php-4.0.6-4.i386.rpm
					prior to php-doc-4.0.6-4.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/RPMS

	4.2 Packages

	3305349cfaa56ff000040fbd46aad75c	php-4.0.6-4.i386.rpm
	59fa343b3e83a7957e98c719db572a5d	php-doc-4.0.6-4.i386.rpm

	4.3 Installation

	rpm -Fvh php-4.0.6-4.i386.rpm
	rpm -Fvh php-doc-4.0.6-4.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/SRPMS

	4.5 Source Packages

	729a94e120ea86a4c09acd270709bd47	php-4.0.6-4.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/RPMS

	5.2 Packages

	c64b972a1e97c18636bbe9767c69c542	php-4.0.6-4.i386.rpm
	b84a833bc7ff1b9c1938e316c59cb0e8	php-doc-4.0.6-4.i386.rpm

	5.3 Installation

	rpm -Fvh php-4.0.6-4.i386.rpm
	rpm -Fvh php-doc-4.0.6-4.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/SRPMS

	5.5 Source Packages

	80c8ef35bb4416a3799035de440150ae	php-4.0.6-4.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/RPMS

	6.2 Packages

	9dfabdbf0ed7587128a549d49f0b159f	php-4.0.6-4.i386.rpm
	afbb47367cbcd3494745f18645c679e9	php-doc-4.0.6-4.i386.rpm

	6.3 Installation

	rpm -Fvh php-4.0.6-4.i386.rpm
	rpm -Fvh php-doc-4.0.6-4.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/SRPMS

	6.5 Source Packages

	3702bf59800706ff708a2334b4633aad	php-4.0.6-4.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/RPMS

	7.2 Packages

	83903709a1609108661fff65a58b439f	php-4.0.6-4.i386.rpm
	490332531b9d84e2216313fd0b3c8e28	php-doc-4.0.6-4.i386.rpm

	7.3 Installation

	rpm -Fvh php-4.0.6-4.i386.rpm
	rpm -Fvh php-doc-4.0.6-4.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/SRPMS

	7.5 Source Packages

	243e3ed64dc55a019832710583ff461f	php-4.0.6-4.src.rpm


8. References

	Specific references for this advisory:

		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr868616, fz525966,
	erg712114.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	Wojciech Purczynski <cliphat_private> discovered and investigated
	these vulnerabilities.

______________________________________________________________________________

application/pgp-signature attachment: stored

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:042-07] Updated squirrelmail packages close cross-site scripting vulnerabilities"
Previous message: auto40951at_private: "uploader.php script"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 14:35:15 PST