Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt548.txt

php XSS, bypass safe mode





-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2003.032                                          07-Jul-2003
________________________________________________________________________

Package:             php, apache
Vulnerability:       XSS; bypass safe mode
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= php-4.3.1-20030516       >= php-4.3.2-20030529
                     <= apache-1.3.27-20030516   >= apache-1.3.27-20030529
OpenPKG 1.2          none                        N.A.
OpenPKG 1.1          <= php-4.2.2-1.1.1          >= php-4.2.2-1.1.2
                     <= apache-1.3.26-1.1.4      >= apache-1.3.26-1.1.5

Dependent Packages:  none

Description:
  A security advisory [3] states that in PHP [1] version 4.3.1 (but
  we at OpenPKG believe 4.2.x) and earlier, when transparent session
  ID support is enabled using the "session.use_trans_sid" option,
  the session ID is not escaped before use, which allows remote
  attackers to insert arbitrary script via the PHPSESSID parameter. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2003-0442 [6] to this problem.

  Additionally, Wojciech Purczynski some time ago found out [2] that
  it is possible to allow remote attackers to by-pass "safe mode"
  restrictions in PHP [1] 4.x to 4.2.2 and modify command line arguments
  to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
  behavior and possibly executing commands. The Common Vulnerabilities
  and Exposures (CVE) project assigned the id CAN-2002-0985 [4] to this
  problem.
  
  Wojciech Purczynski also reported [2] that the mail function in
  PHP [1] 4.x to 4.2.2 does not filter ASCII control characters from
  its arguments, which could allow remote attackers to modify mail
  message content, including mail headers, and possibly use PHP as a
  "spam proxy." The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2002-0986 [5] to this problem.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q php". If you have the "php" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution).

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [9], fetch it from the OpenPKG FTP service [10] or a mirror location,
  verify its integrity [11], build a corresponding binary RPM from
  it [7] and update your OpenPKG installation by applying the binary
  RPM [8]. For the current release OpenPKG 1.2, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.2/UPD
  ftp> get php-4.2.2-1.1.2.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig php-4.2.2-1.1.2.src.rpm
  $ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.2.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.2.*.rpm
________________________________________________________________________

References:
  [1]  http://www.php.net/
  [2]  http://isec.pl/vulnerabilities/0005.txt
  [3]  http://shh.thathost.com/secadv/2003-05-11-php.txt
  [4]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
  [5]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
  [6]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
  [7]  http://www.openpkg.org/tutorial.html#regular-source
  [8]  http://www.openpkg.org/tutorial.html#regular-binary
  [9]  ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.2.src.rpm
  [10] ftp://ftp.openpkg.org/release/1.1/UPD/
  [11] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQE/CYL2gHWT4GPEy58RAnF0AKDY5SbvJIffi3gXHt26g8BUA0AjHACgubJR
VIB2rswM6mLBz8FN6ooXf0o=
=Cp7d
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH