Date: Fri, 13 Oct 2000 15:37:25 -0600
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: format bug in PHP
Caldera Systems, Inc. Security Advisory Subject: format bug in PHP Advisory number: CSSA-2000-037.0 Issue date: 2000 October, 13 (Friday) Cross reference:
1. Problem Description
There’s a format bug in the logging code of the mod_php3 module.
It uses apache’s aplog_error function, passing user-specified input
as the format string.
This can be exploited by a remote attacker to execute arbitrary
shell commands under the HTTP server account (user httpd).
In order for this bug to be exploitable, the PHP error logging
must be enabled. By default, error logging is off.
2. Vulnerable Versions
System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 not vulnerable OpenLinux eServer 2.3 All packages previous to and OpenLinux eBuilder mod_php3-3.0.17-1S OpenLinux eDesktop 2.4 All packages previous to mod_php3-3.0.17-1D
3. Solution
Workaround:
In /etc/httpd/conf/php3.ini, make sure that error logging is
turned off:
log_errors = Off
The proper solution is to upgrade to the fixed packages
4. OpenLinux Desktop 2.3
not vulnerable
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential
3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
58e13e3d8d03a2578a76d5a45965b84e RPMS/mod_php3-3.0.17-1S.i386.rpm 076cc3ebe92e8615a291a2d3b23d1532 RPMS/mod_php3-doc-3.0.17-1S.i386.rpm 102f3824f8836a838d88ffe5e10a3c5a SRPMS/mod_php3-3.0.17-1S.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv mod_php3-*S.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
6ab0ed0a31ed245dc41e275f0b04570e RPMS/mod_php3-3.0.17-1D.i386.rpm 1821696bfa5b169c97760796f732b6d3 RPMS/mod_php3-doc-3.0.17-1D.i386.rpm 0f0a8dd1e8d5a8bbf112715f7cd3940c SRPMS/mod_php3-3.0.17-1D.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv mod_php3-*D.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera’s internal Problem Report 7720,
7721, 7939.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank Jouko Pynnönen jouko@solutions.fi for finding and
reporting this problem; and the PHP team for providing a fix and
generally being very cooperative.