Date: Wed, 26 Apr 2000 20:46:46 -0400
From: Cristian Gafton [email protected]
To: [email protected]
Subject: SECURITY: UPDATED – RHSA-2000:014 New Piranha release
available
Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-16
Issue date: 2000-04-18
Updated on: 2000-04-26
Product: Red Hat Linux
Keywords: piranha
Cross references: php
1. Topic:
The GUI portion of Piranha may allow any remote attacker to
execute commands on the server. This may allow a remote attacker to
launch additional exploits against a web site from inside the web
server.
This is an updated release that disables Piranha’s web GUI
interface unless the site administrator enables it explicitly.
2. Relevant releases/architectures:
Red Hat Linux 6.2 – i386 alpha sparc
3. Problem description:
When Piranha is installed, it generates a ‘secure’ web interface
ID using the HTML .htaccess method. The information for the account
is placed in /home/httpd/html/piranha/secure/passwords which was
supposed to be released with a blank password. Unfortunately, the
password that is actually on the CD is ‘Q’.
The original intent was that, when the administrator installed
Piranha rpms onto their box, that they would change the default
blank password to a password of their own choosing.
This is not a hidden account. Its only use is to protect the web
pages from unauthorized access.
The security problem arises from the
http://localhost/piranha/secure/passwd.php3 file. It is possible to
execute commands by entering ‘blah;some-command’ into the password
fields. Everything after the semicolon is executed with the same
privilege as the webserver.
Because of this, it is possible to compromise the webserver or
do serious damage to files on the site that are owned by the user
‘nobody’ or to export a shell using xterm.
Updated piranha packages released as version 0.14.3-1 fixed the
security vulnerability while still require for the default behavior
of requiring the web administrator to reset the password before
making the web site public.
Because of the security concerns from the community and in order
to protect innocent administrators that might not be aware of the
need to change the password for Piranha’s interface before going
live on the Internet, Red Hat is releasing a new set of packages
that disable the piranha web interface by default. The site
administrator will have to enable the service from the command line
by resetting the password as detailed on the main page of the
piranha utility.
The new packages that include these changes are known as version
piranha-0.4.14-1.
Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to
the new packages if they are actively using piranha on their system
(upgrade instructions follow) or to remove the piranha-gui package
altogether by issuing the following command:
rpm -e piranha-gui
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
When you install the update for the piranha-gui, please take a
moment to review the instructions presented on the following URL
(http://localhost/piranha). This should guide you through the
process of installing a password for use with the GUI.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla
for more info):
N/A
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.2:
intel:
ftp://updates.redhat.com/6.2/i386/piranha-0.4.14-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.14-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.14-1.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/piranha-0.4.14-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/piranha-0.4.14-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.14-1.src.rpm
9. Verification:
MD5 sum Package Name
7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm 179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm 881622bc6403c2af38834c0deaf05d44 6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm 7ffc63ec6f236afc0b19298ec29e6774 6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm 1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm 5b6649f14979e1b2fbdb763d88e9a3ac 6.2/i386/piranha-docs-0.4.14-1.i386.rpm 1a49816f280dc7a9b83ba9bab42a247f 6.2/i386/piranha-gui-0.4.14-1.i386.rpm 4153b861f030a17745463c1749732b58 6.2/sparc/piranha-0.4.14-1.sparc.rpm dc964993d9a3b6c967e5c4455bc24221 6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm 97071e07e2f34fecf80ba48f61e70ba6 6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm –checksig
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg
10. References:
This vulnerability was discovered and researched by Allen Wilson
and Dan Ingevaldson of Internet Security Systems. Red Hat would
like to thank ISS for the assistance in getting this problem fixed
quickly.
Cristian