Sections:
Main page
Security
Kernel
Distributions
On the Desktop
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

Trouble with Apache SQL authentication modules. The Apache web server supports several modules which can perform user authentication from a relational database. They are certainly widely used; a site does not have to grow very large before the classic htpasswd mechanism becomes unusable. So this advisory pointing out "SQL insertion" vulnerabilities in several of these modules is worthy of some concern.

SQL insertion happens when a hostile user, through a clever request to the web server, is able to pass arbitrary SQL code through to the underlying database. This code can disclose or modify data, or corrupt the integrity of the database in a number of ways; it can also, usually, be used to allow unauthorized access to the web site.

This type of vulnerability comes about as a result of the combination of inadequate checking of user-supplied data and the passing of that data across module boundaries. It is an easy sort of mistake to make, and it is certain that numerous other, database-driven web applications have similar vulnerabilities.

Fixing this sort of problem is relatively easy, once the programmer thinks of it. A "white list" of allowed characters filters out most such attacks without trouble. But, when passing user strings between modules, filtering in one module can require a knowledge of what strings can cause problems in the other. This kind of knowledge goes against the information hiding techniques that are usually seen as good, modular programming. As a result, programmers can be surprised, even if they are thinking about properly sanitizing user-supplied data.

As applications become more component driven, the chances are that this sort of cross-module interaction will be seen more often. Security is hard, and it's not getting any easier.

The X.C worm is apparently loose. This work takes advantage of the buffer overrun vulnerability in telnetd (see updates, below) to infect new systems. So far, this worm does not appear to have caused a lot of problems; many systems are no longer running telnet services, and, hopefully, most of those that still do have applied the updates. Nonetheless, for those who are concerned, a X.C discovery and removal tool has been made available by William Stearns.

Security Reports

A security audit of xinetd. Solar Designer has performed an extensive audit of xinetd looking for certain types of security vulnerabilities. So many problems were found in the code that the resulting patch weighed in at over 100KB. This patch was only fully merged as of xinetd 2.3.3.

The patched xinetd will certainly be safer, but Solar Designer's disclaimer is worth noting:

To summarize the results, xinetd may be reasonably safe to use with these patches, but the code remains far from clean and certain bugs are there by design.

Distributor updates seen so far include:

Fun with Bugzilla Users of the Bugzilla bug tracking system should upgrade to the new 2.14 release, which fixes several security holes. The worst of these vulnerabilities could lead to the disclosure of "confidential" bugs, or the compromise of the Bugzilla server as a whole.

A new lpr vulnerability. A new buffer overrun vulnerability in lpr has been reported. This time around, an attacker crafts a special, incomplete print job; a subsequent request to view the printer queue causes the overrun to happen. The advisory only mentions BSD systems, but numerous Linux distributions run BSD lpr as well. Stay tuned for updates...

An HTML injection vulnerability with gnut. The "gnut" Gnutella client is vulnerable to the injection of arbitrary HTML (including scripts) if a hostile user shares a file with HTML tags embedded in its name. This bug is compounded by the fact that gnut, apparently, loads a lot of files from the local drive; browsers impose fewer security restrictions in this situation. Upgrade to gnut 0.4.27 for a fix.

POP3Lite message processing vulnerability. The POP3Lite POP server fails to escape leading dots in mail messages, opening it up to denial of service attacks and the creation of untraceable forged messages. Upgrading to version 0.2.4 fixes the problem.

SuSE updates screen. SuSE has issued a security update to screen fixing a local root exploit vulnerability in that package. It seems that, if screen is installed setuid root, a clever user can engage in some /tmp trickery to get root privileges. SuSE's fix deals with the problem in the code, and also removes the setuid bit. That, in turn, reduces the functionality of screen slightly; see the advisory for information on whether you might need to restore the setuid bit after applying the update.

web scripts. The following web scripts were reported to contain vulnerabilities:

PhpMyExplorer (a file manager) has a a directory traversal vulnerability which can be used to read any file on the system. Upgrading to version 1.2.1 fixes the problem.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

A problem in PGP's key validity display has been discovered; given enough assumptions, it could be used to fool users into accepting keys that are not valid. Fixes are available.
The Informix-SQL application has a vulnerability which allows local users to create any file with root privileges.

Updates

Buffer overrun vulnerabilities in fetchmail. (Found by Salvatore Sanfilippo). Two buffer overrun vulnerabilities exist in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. See the August 16 Security page for the initial report.

Previous updates:

OpenSSL Pseudo-random number generator weakness A weakness has been discovered in the OpenSSL Pseudo random number generator that can allow an attacker to discover the PNRG's state and predict future values. (First reported July 12).

Previous updates:

Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report.

This week's updates:

Red Hat (October 22, 2001) (no explanation of changes from previous update).

Previous updates:

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

HP (February 12, 2002)

Previous updates:

Caldera (August 10, 2001)
Conectiva (August 24, 2001)
Debian (August 14, 2001) (SSL version)
Debian (August 14, 2001) (Update for Sparc version)
Mandrake (August 13, 2001)
Mandrake (December 17, 2001) (kerberos version)
Progeny (August 14, 2001)
Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
Red Hat (August 9, 2001)
Red Hat (August 9, 2001) (kerberos version)
Slackware (August 9, 2001)
SuSE (September 3, 2001)
Yellow Dog (August 10, 2001)
Yellow Dog (August 10, 2001) (kerberos version)

Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page.

New updates:

SuSE (September 20, 2001)

Previous updates:

Buffer overflows in xloadimage This problem was first covered in the July 12 Security page.

Previous updates:

Resources

The LinuxSecurity.com Weekly Newsletter for September 3 is available.

Events

Computer Security Mexico will be held November 24 to 30 in Mexico City. The call for papers has been issued; with submissions being due by October 12.

Upcoming Security Events.

Date Event Location

September 11 - 13, 2001 New Security Paradigms Workshop 2001(NSPW) Cloudcroft, New Mexico, USA

September 28 - 30, 2001 Canadian Association for Security and Intelligence Studies(CASIS 2001) (Dalhousie University)Halifax, Nova Scotia, Canada.

October 10 - 12, 2001 Fourth International Symposium on Recent Advances in Intrusion Detection(RAID 2001) Davis, CA

November 5 - 8, 2001 8th ACM Conference on Computer and Communication Security(CCS-8) Philadelphia, PA, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

September 6, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel