From security@caldera.com Tue Mar 4 20:07:25 2003 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com, full-disclosure@lists.netsys.com Date: Tue, 4 Mar 2003 14:01:11 -0800 Reply-To: please_reply_to_security@caldera.com Subject: [Full-Disclosure] Security Update: [CSSA-2003-008.0] Linux: php bypass safe_mode and injected control chars vulnerabilities To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com ______________________________________________________________________________ SCO Security Advisory Subject: Linux: php bypass safe_mode and injected control chars vulnerabilities Advisory number: CSSA-2003-008.0 Issue date: 2003 March 04 Cross reference: ______________________________________________________________________________ 1. Problem Description Two vulnerabilities exists in the mail() PHP function. The first one allows execution of any program/script, bypassing the safe_mode restriction. The second one may allow an open-relay if the mail() function is not carefully used in PHP scripts. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to php-4.0.6-4.i386.rpm prior to php-doc-4.0.6-4.i386.rpm OpenLinux 3.1.1 Workstation prior to php-4.0.6-4.i386.rpm prior to php-doc-4.0.6-4.i386.rpm OpenLinux 3.1 Server prior to php-4.0.6-4.i386.rpm prior to php-doc-4.0.6-4.i386.rpm OpenLinux 3.1 Workstation prior to php-4.0.6-4.i386.rpm prior to php-doc-4.0.6-4.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/RPMS 4.2 Packages 3305349cfaa56ff000040fbd46aad75c php-4.0.6-4.i386.rpm 59fa343b3e83a7957e98c719db572a5d php-doc-4.0.6-4.i386.rpm 4.3 Installation rpm -Fvh php-4.0.6-4.i386.rpm rpm -Fvh php-doc-4.0.6-4.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-008.0/SRPMS 4.5 Source Packages 729a94e120ea86a4c09acd270709bd47 php-4.0.6-4.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/RPMS 5.2 Packages c64b972a1e97c18636bbe9767c69c542 php-4.0.6-4.i386.rpm b84a833bc7ff1b9c1938e316c59cb0e8 php-doc-4.0.6-4.i386.rpm 5.3 Installation rpm -Fvh php-4.0.6-4.i386.rpm rpm -Fvh php-doc-4.0.6-4.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-008.0/SRPMS 5.5 Source Packages 80c8ef35bb4416a3799035de440150ae php-4.0.6-4.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/RPMS 6.2 Packages 9dfabdbf0ed7587128a549d49f0b159f php-4.0.6-4.i386.rpm afbb47367cbcd3494745f18645c679e9 php-doc-4.0.6-4.i386.rpm 6.3 Installation rpm -Fvh php-4.0.6-4.i386.rpm rpm -Fvh php-doc-4.0.6-4.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-008.0/SRPMS 6.5 Source Packages 3702bf59800706ff708a2334b4633aad php-4.0.6-4.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/RPMS 7.2 Packages 83903709a1609108661fff65a58b439f php-4.0.6-4.i386.rpm 490332531b9d84e2216313fd0b3c8e28 php-doc-4.0.6-4.i386.rpm 7.3 Installation rpm -Fvh php-4.0.6-4.i386.rpm rpm -Fvh php-doc-4.0.6-4.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-008.0/SRPMS 7.5 Source Packages 243e3ed64dc55a019832710583ff461f php-4.0.6-4.src.rpm 8. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr868616, fz525966, erg712114. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgements Wojciech Purczynski discovered and investigated these vulnerabilities. ______________________________________________________________________________ [ Part 2, Application/PGP-SIGNATURE 245bytes. ] [ Unable to print this part. ]