[OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)

From: OpenPKG (openpkgat_private)
Date: Mon Jul 07 2003 - 07:27:47 PDT

Next message: Matt Zimmerman: "[SECURITY] [DSA-337-1] New semi, wemi packages fix insecure temporary file creation"

Previous message: Rick: "rundll32.exe buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-securityat_private                         openpkgat_private
OpenPKG-SA-2003.032                                          07-Jul-2003
________________________________________________________________________

Package:             php, apache
Vulnerability:       XSS; bypass safe mode
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= php-4.3.1-20030516       >= php-4.3.2-20030529
                     <= apache-1.3.27-20030516   >= apache-1.3.27-20030529
OpenPKG 1.2          none                        N.A.
OpenPKG 1.1          <= php-4.2.2-1.1.1          >= php-4.2.2-1.1.2
                     <= apache-1.3.26-1.1.4      >= apache-1.3.26-1.1.5

Dependent Packages:  none

Description:
  A security advisory [3] states that in PHP [1] version 4.3.1 (but
  we at OpenPKG believe 4.2.x) and earlier, when transparent session
  ID support is enabled using the "session.use_trans_sid" option,
  the session ID is not escaped before use, which allows remote
  attackers to insert arbitrary script via the PHPSESSID parameter. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2003-0442 [6] to this problem.

  Additionally, Wojciech Purczynski some time ago found out [2] that
  it is possible to allow remote attackers to by-pass "safe mode"
  restrictions in PHP [1] 4.x to 4.2.2 and modify command line arguments
  to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
  behavior and possibly executing commands. The Common Vulnerabilities
  and Exposures (CVE) project assigned the id CAN-2002-0985 [4] to this
  problem.
  
  Wojciech Purczynski also reported [2] that the mail function in
  PHP [1] 4.x to 4.2.2 does not filter ASCII control characters from
  its arguments, which could allow remote attackers to modify mail
  message content, including mail headers, and possibly use PHP as a
  "spam proxy." The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2002-0986 [5] to this problem.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q php". If you have the "php" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution).

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [9], fetch it from the OpenPKG FTP service [10] or a mirror location,
  verify its integrity [11], build a corresponding binary RPM from
  it [7] and update your OpenPKG installation by applying the binary
  RPM [8]. For the current release OpenPKG 1.2, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.2/UPD
  ftp> get php-4.2.2-1.1.2.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig php-4.2.2-1.1.2.src.rpm
  $ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.2.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.2.*.rpm
________________________________________________________________________

References:
  [1]  http://www.php.net/
  [2]  http://isec.pl/vulnerabilities/0005.txt
  [3]  http://shh.thathost.com/secadv/2003-05-11-php.txt
  [4]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
  [5]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
  [6]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
  [7]  http://www.openpkg.org/tutorial.html#regular-source
  [8]  http://www.openpkg.org/tutorial.html#regular-binary
  [9]  ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.2.src.rpm
  [10] ftp://ftp.openpkg.org/release/1.1/UPD/
  [11] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkgat_private>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkgat_private>

iD8DBQE/CYL2gHWT4GPEy58RAnF0AKDY5SbvJIffi3gXHt26g8BUA0AjHACgubJR
VIB2rswM6mLBz8FN6ooXf0o=
=Cp7d
-----END PGP SIGNATURE-----

Next message: Matt Zimmerman: "[SECURITY] [DSA-337-1] New semi, wemi packages fix insecure temporary file creation"
Previous message: Rick: "rundll32.exe buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 13:19:01 PDT