oreilly.comSafari Books Online.Conferences.


PHP Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PHP, Samba, mod_ssl, HP-UX's xfs and stmkfont, Ethereal, l2tpd, Domino, APC PowerChute Business Edition, Webmin, and Lexmark network printers.


Some configurations of PHP may be vulnerable to an attack that, when exploited, can result in arbitrary code being executed with the permissions of the user account running the web server. This attack exploits a flaw in the memory_limit code of PHP and affects PHP 4.x through 4.3.7, and 5.x through 5.0.0RC3. In addition, a bug in the strip_tags() function may result in cross-site scripting problems in some browsers.

Users should upgrade to version 4.3.8 or 5.0.0 of PHP as soon as possible. Repaired packages have been released by SuSE, Red Hat, Mandrake, Gentoo, Debian, and Conectiva.

geese The Great Linux Desktop Migration Contest -- Share your open source success stories and help chart the course for Linux desktop migration. If that's not reward enough your entry could also win you an all-expense-paid trip to Barcelona, Spain. Novell and O'Reilly are calling for entries that describe the benefits realized from a Linux desktop migration, present a comprehensive migration plan, or provide the most practical tips for migrating to Linux. The contest deadline is August 9 so enter now.

Samba and the Samba Web Administration Tool

The Samba server and SWAT, the Samba Web Administration Tool, are vulnerable to buffer overflows that may be exploitable to execute arbitrary code with the permissions of (in most cases) root. The buffer overflow in SWAT is in the code that handles decoding base64 characters and can be exploited by a remote attacker using an invalid base64 character. The Samba server buffer overflow is located in the code that handles the mangling method = hash configuration option set in the smb.conf file. The SWAT overflow is present in versions 3.0.2 through 3.0.4. The Samba server overflow affects versions 2.2.9 through version 2.2.9 and versions v3.0.0 through version 3.0.4.

Affected users of Samba should upgrade to version 3.0.5 or 2.2.10 as soon as possible. A possible work around is to turn off the SWAT server or select mangling method = hash2 in the smb.conf configuration file.

Apache mod_ssl

The mod_ssl distributed with Apache 1.3.x web servers is reported to be vulnerable to a format-string-based attack that may be exploitable to execute arbitrary code with the permissions of the web server. The vulnerable code in this attack is located in the mod_proxy hook functions.

Users should watch their vendors for an updated package or upgrade to mod_ssl version 2.8.19 or newer.

HP-UX xfs and stmkfont

There are vulnerabilities in versions of xfs and stmkfont distributed with HP-UX B11.00, B11.11, B.11.22, and B11.23 that may be exploited by a remote attacker to execute code with the permissions of the bin group.

Users should contact HP for the appropriate patch for their systems.


Ethereal is a powerful network protocol analyzer with a graphical interface used for network troubleshooting, analysis, software development, protocol development, and education. Bugs in the iSNS dissector, SMB SID, and the SNMP dissector may, under some conditions, be exploitable by a remote attacker to crash Ethereal or to execute arbitrary code. These problems are reported to affect all versions of Ethereal prior to version 0.10.5.

All users of Ethereal are encouraged to upgrade to version 0.10.5 as soon as possible. Users unable to upgrade should remove the iSNS dissector, SMB SID, and the SNMP dissector from the list of enabled protocols.


l2tpd, the Layer 2 Tunneling Protocol Daemon, is reported to contain a buffer overflow in the write_packet() function in control.c that may be exploitable by an attacker to execute arbitrary code with the permissions under which l2tpd is running.

It is recommended that users upgrade to version 0.69-r2 of l2tpd.

Domino 6.5.1

It has been reported that Domino 6.5.1 under Linux and Windows is vulnerable to a denial-of-service attack that uses a carefully crafted email that hangs the Domino server when it is viewed by the recipient using Domino Web Access. Other versions of Domino may also be vulnerable.

Users should contact IBM for a hotfix for this vulnerability. Possible workarounds are to limit the maximum message size or to turn off Domino Web Access.

APC PowerChute Business Edition

APC's PowerChute Business Edition provides UPS management tools for up to 25 UPS systems, and safe system shutdown during power interruptions for servers and workstations. It is available for Linux, Novell, Solaris, Windows 2003, and Windows XP/2000/NT. All versions of PowerChute Business Edition between 6.0 and 7.0.1 are reported to be at risk from a locally exploitable denial-of-service attack.

Affected users of APC PowerChute Business Edition should upgrade or patch to version 7.0.2 as soon as possible.


A format-string-based vulnerability has been reported in the netkit-telnet-ssl package for Debian Linux. This vulnerability may, under some conditions, allow a remote attacker to execute arbitrary code with the permissions of the telnet daemon (under Debian, the telnetd user). It is not clear if this vulnerability affects other distributions.

Debian users should upgrade their netkit-telnet-ssl package to the repaired version as soon as possible.


Webmin is a web-based administration tool for Unix systems that can be used for user accounts, controlling Apache, DNS, file sharing, and more. Webmin has a bug that can be exploited by an unauthorized attacker to read module settings. In addition, on Fedora 2 and other 2.6 kernel-based distributions, using the Disk Quotas module under some conditions may cause the system to hang.

Users should upgrade to Webmin 1.150 or newer as soon as possible.

Lexmark Network Printers

It has been reported that some Lexmark network printers are subject to a denial-of-service attack against their web servers that will cause the printer's web server to stop taking requests and become unresponsive. This problem is reportedly caused by the web server not handling long HOST arguments (1024 characters is reported to work) in the HTTP header of a request. This problem is also reported to affect Dell printers using the same web-server software in their firmware.

Users should watch their vendor for updated firmware for their printer. It may be possible to mitigate this problem somewhat by using a firewall to protect the printer from unauthorized connections.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: