[LWN Logo]
[Timeline]
Date: Fri, 13 Oct 2000 15:37:25 -0600
From: Caldera Support Info <sup-info@locutus4.calderasystems.com>
To: announce@lists.calderasystems.com, bugtraq@securityfocus.com,
Subject: Security Update: format bug in PHP


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		format bug in PHP
Advisory number: 	CSSA-2000-037.0
Issue date: 		2000 October, 13 (Friday)
Cross reference:
______________________________________________________________________________


1. Problem Description

   There's a format bug in the logging code of the mod_php3 module.
   It uses apache's aplog_error function, passing user-specified
   input as the format string.

   This can be exploited by a remote attacker to execute arbitrary
   shell commands under the HTTP server account (user httpd).

   In order for this bug to be exploitable, the PHP error logging must
   be enabled. By default, error logging is off.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        not vulnerable
   				

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       mod_php3-3.0.17-1S

   OpenLinux eDesktop 2.4	All packages previous to
                                mod_php3-3.0.17-1D

3. Solution

   Workaround:

   In /etc/httpd/conf/php3.ini, make sure that error logging
   is turned off:

	   log_errors = Off

   The proper solution is to upgrade to the fixed packages

4. OpenLinux Desktop 2.3

   not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       58e13e3d8d03a2578a76d5a45965b84e  RPMS/mod_php3-3.0.17-1S.i386.rpm
       076cc3ebe92e8615a291a2d3b23d1532  RPMS/mod_php3-doc-3.0.17-1S.i386.rpm
       102f3824f8836a838d88ffe5e10a3c5a  SRPMS/mod_php3-3.0.17-1S.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -Fhv mod_php3-*S.i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       6ab0ed0a31ed245dc41e275f0b04570e  RPMS/mod_php3-3.0.17-1D.i386.rpm
       1821696bfa5b169c97760796f732b6d3  RPMS/mod_php3-doc-3.0.17-1D.i386.rpm
       0f0a8dd1e8d5a8bbf112715f7cd3940c  SRPMS/mod_php3-3.0.17-1D.src.rpm       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -Fhv mod_php3-*D.i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 7720,
   7721, 7939.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

   Caldera Systems wishes to thank Jouko Pynnönen <jouko@solutions.fi> 
   for finding and reporting this problem; and the PHP team for providing 
   a fix and generally being very cooperative.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE55sxZ18sy83A/qfwRAoVYAJsGfCyA3qfDjUkZEGGbLVu0xC+fJACcC2yE
4uMKfTw4lymEYerSvjOpsRc=
=Msic
-----END PGP SIGNATURE-----