---

Caldera Systems Security Advisory: format bug in PHP

Date: Fri, 13 Oct 2000 15:37:25 -0600
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: format bug in PHP

 

                   Caldera Systems, Inc.  Security Advisory
 
Subject:                format bug in PHP
Advisory number:        CSSA-2000-037.0
Issue date:             2000 October, 13 (Friday)
Cross reference:


 

1. Problem Description

There’s a format bug in the logging code of the mod_php3 module.
It uses apache’s aplog_error function, passing user-specified input
as the format string.

This can be exploited by a remote attacker to execute arbitrary
shell commands under the HTTP server account (user httpd).

In order for this bug to be exploitable, the PHP error logging
must be enabled. By default, error logging is off.

2. Vulnerable Versions

 
   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        not vulnerable                               
 
   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       mod_php3-3.0.17-1S
 
   OpenLinux eDesktop 2.4       All packages previous to
                                mod_php3-3.0.17-1D
 

3. Solution

Workaround:

In /etc/httpd/conf/php3.ini, make sure that error logging is
turned off:

log_errors = Off

The proper solution is to upgrade to the fixed packages

4. OpenLinux Desktop 2.3

not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential
3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:


ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:


ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

       58e13e3d8d03a2578a76d5a45965b84e  RPMS/mod_php3-3.0.17-1S.i386.rpm
       076cc3ebe92e8615a291a2d3b23d1532  RPMS/mod_php3-doc-3.0.17-1S.i386.rpm
       102f3824f8836a838d88ffe5e10a3c5a  SRPMS/mod_php3-3.0.17-1S.src.rpm
                

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv mod_php3-*S.i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

       6ab0ed0a31ed245dc41e275f0b04570e  RPMS/mod_php3-3.0.17-1D.i386.rpm
       1821696bfa5b169c97760796f732b6d3  RPMS/mod_php3-doc-3.0.17-1D.i386.rpm
       0f0a8dd1e8d5a8bbf112715f7cd3940c  SRPMS/mod_php3-3.0.17-1D.src.rpm
 

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv mod_php3-*D.i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera’s internal Problem Report 7720,
7721, 7939.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.

9. Acknowledgements

Caldera Systems wishes to thank Jouko Pynnönen jouko@solutions.fi for finding and
reporting this problem; and the PHP team for providing a fix and
generally being very cooperative.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis