oreilly.comSafari Books Online.Conferences.


Security Alerts Apache Regex Problems

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Apache, mod_php, XDM, Goahead Web Server, Xerox Document Center, SARA, phpBB2, OpenBB, SquirrelMail, and pServ.


The Apache web server is vulnerable to an attack that uses a bug in the code that parses regular expressions, which can result in arbitrary code being executed with the permissions of the user running the Apache web server. To exploit this bug, the attacker must be able to write to a configuration file, such as an .htaccess file in a user public_html directory. This vulnerability is reported to affect versions in the 1.3.x series up to, but not including, version 1.3.29. The bug is located in the regular expression parsing code in the mod_alias and mod_rewrite Apache modules.

It is recommended that affected users upgrade to version 1.3.29 or newer of Apache as soon as possible.


The mod_php Apache module is reported to have a problem that, under some conditions, can be exploited by a local attacker to gain control of the HTTPS port (443) and emulate secure web services. The problem is caused by the file descriptor being leaked to PHP processes, which can then pass the file descriptor to an external program using functions such as passthru(), exec(), or system(). A script to automate the exploitation of this problem has been released to the public.

Users should watch their vendors for a repaired version of mod_php.


The X Window system display manager XDM can, under some conditions, grant unauthorized root access to an attacker who can successfully log in as a normal user. This vulnerability is caused by XDM not checking for an error condition in the returned value of the function pam_setcred(). It has been reported that specific configurations of the MIT pam_krb5 PAM module are vulnerable to this, and that other PAM modules have the same vulnerability. This vulnerability appears to be related to the similar vulnerability reported in the KDE X Window system display manager KDM.

Affected users should upgrade to XFree86 version 4.3 or watch their vendors for updated packages. Updated packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1.

Goahead Web Server

The Goahead web server is an open source embedded web server that has been released for many operating systems, including GNU/Linux, MacOS, CE, Ecos, Lynx, NW, QNX4, VXWORKS, and Win32. The code in Goahead that supports executing ASP files and sending data to the client has a bug that can be remotely and trivially exploited to view the source code of the ASP scripts. This problem is reported to affect all versions of the Goahead web server through version 2.1.7.

Users who have ASP pages should upgrade to version 2.1.8 as soon as possible.

Xerox Document Center

The Xerox Document Center is reported to be vulnerable to a remote attack that can be exploited to gain access to files, user accounts, and passwords. The attacker is reported to be able to connect with a malformed URL and download listings of directories and arbitrary files. There have also been reports of other Xerox devices being vulnerable to this attack.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Possible workarounds for this vulnerability include disabling the Xerox Document Center's HTTP interface, or restricting access to it to trusted hosts either through internal configuration or by using a firewall. All users, however, should watch for a solution from Xerox.


SARA, the Security Auditor's Research Assistant, is a network and host security auditing tool that is based on the SATAN security auditor and network scanner. SARA is reported to be vulnerable, under some conditions, to a cross-site scripting (CSS) attack that may result in code being executed in the victim's web browser.

It is recommended that users upgrade to version 5.0.0 of SARA.


The popular bulletin board software phpBB2 is vulnerable to a SQL injection-based attack that, under some conditions, can lead to the attacker viewing user password hashes. The search.php script has a variable that is not verified before it is used in a SQL query. Versions of phpBB2 through 2.0.6 are reported to be vulnerable.

Users should download a new copy of the 2.0.6 release from the phpBB2 site. Even though the version number was not changed and there is no notice in the changelog file, the vulnerability has been patched in the current downloadable version.


OpenBB, a bulletin board system written in PHP with a MySQL back end, is vulnerable to a SQL injection attack that, when exploited, may allow a remote attacker to view the admin password for the bulletin board. The vulnerability to this attack is the result of a possibly non-initialized variable ($CID) in the index.php script.

Users should upgrade to the version of OpenBB available from its home page as soon as possible.


The web-based email client SquirrelMail is reported to be vulnerable to an attack that may result in arbitrary code being executed with the permissions of the user under which the web server is running. This vulnerability is reported to possibly affect GPG Plug-in version 1.1 and SquirrelMail version 1.4.0.

It is recommended that affected users upgrade to SquirrelMail 1.4.2, which was released in October of 2003.


pServ (pico web Server) is a web server coded with C with the goals of being portable and small. pServ contains a bug that can be used by a remote attacker in a directory traversal attack to gain information about the victim's system.

Users should upgrade to the latest version of pServ available from its homepage.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: