TUCoPS :: Web :: PHP
:: bt548.txt
php XSS, bypass safe mode
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2003.032 07-Jul-2003
________________________________________________________________________
Package: php, apache
Vulnerability: XSS; bypass safe mode
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= php-4.3.1-20030516 >= php-4.3.2-20030529
<= apache-1.3.27-20030516 >= apache-1.3.27-20030529
OpenPKG 1.2 none N.A.
OpenPKG 1.1 <= php-4.2.2-1.1.1 >= php-4.2.2-1.1.2
<= apache-1.3.26-1.1.4 >= apache-1.3.26-1.1.5
Dependent Packages: none
Description:
A security advisory [3] states that in PHP [1] version 4.3.1 (but
we at OpenPKG believe 4.2.x) and earlier, when transparent session
ID support is enabled using the "session.use_trans_sid" option,
the session ID is not escaped before use, which allows remote
attackers to insert arbitrary script via the PHPSESSID parameter. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0442 [6] to this problem.
Additionally, Wojciech Purczynski some time ago found out [2] that
it is possible to allow remote attackers to by-pass "safe mode"
restrictions in PHP [1] 4.x to 4.2.2 and modify command line arguments
to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
behavior and possibly executing commands. The Common Vulnerabilities
and Exposures (CVE) project assigned the id CAN-2002-0985 [4] to this
problem.
Wojciech Purczynski also reported [2] that the mail function in
PHP [1] 4.x to 4.2.2 does not filter ASCII control characters from
its arguments, which could allow remote attackers to modify mail
message content, including mail headers, and possibly use PHP as a
"spam proxy." The Common Vulnerabilities and Exposures (CVE) project
assigned the id CAN-2002-0986 [5] to this problem.
Please check whether you are affected by running "<prefix>/bin/rpm
-q php". If you have the "php" package installed and its version is
affected (see above), we recommend that you immediately upgrade it
(see Solution).
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[9], fetch it from the OpenPKG FTP service [10] or a mirror location,
verify its integrity [11], build a corresponding binary RPM from
it [7] and update your OpenPKG installation by applying the binary
RPM [8]. For the current release OpenPKG 1.2, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get php-4.2.2-1.1.2.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig php-4.2.2-1.1.2.src.rpm
$ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.2.*.rpm
________________________________________________________________________
References:
[1] http://www.php.net/
[2] http://isec.pl/vulnerabilities/0005.txt
[3] http://shh.thathost.com/secadv/2003-05-11-php.txt
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
[7] http://www.openpkg.org/tutorial.html#regular-source
[8] http://www.openpkg.org/tutorial.html#regular-binary
[9] ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.2.src.rpm
[10] ftp://ftp.openpkg.org/release/1.1/UPD/
[11] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iD8DBQE/CYL2gHWT4GPEy58RAnF0AKDY5SbvJIffi3gXHt26g8BUA0AjHACgubJR
VIB2rswM6mLBz8FN6ooXf0o=
=Cp7d
-----END PGP SIGNATURE-----
Site design & layout copyright © 1986-2025 AOH