Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Apache,
mod_php, XDM, Goahead Web Server, Xerox Document Center, SARA,
phpBB2, OpenBB, SquirrelMail, and pServ.
The Apache web server is vulnerable to an attack that uses a bug in the code that parses regular expressions, which can result in arbitrary code being executed with the permissions of the user running the Apache web server. To exploit this bug, the attacker must be able to write to a configuration file, such as an .htaccess file in a user public_html directory. This vulnerability is reported to affect versions in the 1.3.x series up to, but not including, version 1.3.29. The bug is located in the regular expression parsing code in the
mod_rewrite Apache modules.
It is recommended that affected users upgrade to version 1.3.29 or newer of Apache as soon as possible.
mod_php Apache module is reported to have a problem that, under some conditions, can be exploited by a local attacker to gain control of the HTTPS port (443) and emulate secure web services. The problem is caused by the file descriptor being leaked to PHP processes, which can then pass the file descriptor to an external program using functions such as
system(). A script to automate the exploitation of this problem has been released to the public.
Users should watch their vendors for a repaired version of
The X Window system display manager XDM can, under some conditions, grant unauthorized root access to an attacker who can successfully log in as a normal user. This vulnerability is caused by XDM not checking for an error condition in the returned value of the function
pam_setcred(). It has been reported that specific configurations of the MIT
pam_krb5 PAM module are vulnerable to this, and that other PAM modules have the same vulnerability. This vulnerability appears to be related to the similar vulnerability reported in the KDE X Window system display manager KDM.
Affected users should upgrade to XFree86 version 4.3 or watch their vendors for updated packages. Updated packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1.
Goahead Web Server
The Goahead web server is an open source embedded web server that has been released for many operating systems, including GNU/Linux, MacOS, CE, Ecos, Lynx, NW, QNX4, VXWORKS, and Win32. The code in Goahead that supports executing ASP files and sending data to the client has a bug that can be remotely and trivially exploited to view the source code of the ASP scripts. This problem is reported to affect all versions of the Goahead web server through version 2.1.7.
Users who have ASP pages should upgrade to version 2.1.8 as soon as possible.
Xerox Document Center
The Xerox Document Center is reported to be vulnerable to a remote attack that can be exploited to gain access to files, user accounts, and passwords. The attacker is reported to be able to connect with a malformed URL and download listings of directories and arbitrary files. There have also been reports of other Xerox devices being vulnerable to this attack.
Also in Security Alerts:
Possible workarounds for this vulnerability include disabling the Xerox Document Center's HTTP interface, or restricting access to it to trusted hosts either through internal configuration or by using a firewall. All users, however, should watch for a solution from Xerox.
SARA, the Security Auditor's Research Assistant, is a network and host security auditing tool that is based on the SATAN security auditor and network scanner. SARA is reported to be vulnerable, under some conditions, to a cross-site scripting (CSS) attack that may result in code being executed in the victim's web browser.
It is recommended that users upgrade to version 5.0.0 of SARA.
The popular bulletin board software
phpBB2 is vulnerable to a SQL injection-based attack that, under some conditions, can lead to the attacker viewing user password hashes. The search.php script has a variable that is not verified before it is used in a SQL query. Versions of
phpBB2 through 2.0.6 are reported to be vulnerable.
Users should download a new copy of the 2.0.6 release from the
phpBB2 site. Even though the version number was not changed and there is no notice in the changelog file, the vulnerability has been patched in the current downloadable version.
OpenBB, a bulletin board system written in PHP with a MySQL back end, is vulnerable to a SQL injection attack that, when exploited, may allow a remote attacker to view the admin password for the bulletin board. The vulnerability to this attack is the result of a possibly non-initialized variable (
$CID) in the index.php script.
Users should upgrade to the version of OpenBB available from its home page as soon as possible.
The web-based email client SquirrelMail is reported to be vulnerable to an attack that may result in arbitrary code being executed with the permissions of the user under which the web server is running. This vulnerability is reported to possibly affect GPG Plug-in version 1.1 and SquirrelMail version 1.4.0.
It is recommended that affected users upgrade to SquirrelMail 1.4.2, which was released in October of 2003.
pico web Server) is a web server coded with C with the goals of being portable and small. pServ contains a bug that can be used by a remote attacker in a directory traversal attack to gain information about the victim's system.
Users should upgrade to the latest version of pServ available from its homepage.
Read more Security Alerts columns.
Return to the Linux DevCenter.