Apache Insecurity Reveals Directory Contents03/20/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in icecast, Half-Life Dedicated Server, Solaris SNMP,
imapd; format string vulnerabilities in icecast, mutt, Half-Life Dedicated Server, and
cfengine; temporary-file problems in the SGML-Tools package and Mesa; and problems with Apache, several FTP daemons, a Solaris SNMP agent, vBulletin, FTPFS, and Ikonboard.
In some circumstances, the Apache web server may display a directory listing when it should display an error message. It has been reported that all versions of Apache prior to 1.3.19 are affected.
The Apache Software Foundation and the Apache Server Project have released version 1.3.19 of the Apache web server. It is strongly recommended that all users of older versions upgrade to 1.3.19. No further releases are planned for the Apache 1.2.x series.
Alerts this week:
Also in Security Alerts:
An attacker can use the globbing (wildcard) functionality available in some FTP daemons for a remote denial-of-service attack. This attack has been tested against ProFTP and PureFTPD. It has also been reported that some shells have this bug and can be exploited by a local user.
It is recommended that users watch their vendors for updates.
Icecast is a streaming-audio broadcasting system that uses MPEG audio-compression technology. It has several remotely exploitable buffer overflows and format string vulnerabilities that can be used to execute arbitrary code on the server with the permissions of the user executing icecast.
Users of icecast should upgrade to version 1.3.10 or newer as soon as possible.
The mail client "mutt," has a format string vulnerability that can be used by a compromised or malicious IMAP server to execute arbitrary code with the permissions of the user running mutt. This vulnerability affects versions prior to 1.2.5.
Users of mutt should upgrade to version 1.2.5 or newer.
The dedicated server for the Half-Life multi-user game has a buffer overflow and a format string vulnerability that can be exploited to execute arbitrary commands with the permissions of the user executing the server. This problem affects both the Linux and the Windows versions of the server. The buffer overflow can only be exploited by users who have access levels that permit the use of the
map commands. There is also a buffer overflow in the code that parses the configuration files during startup.
Users of the Half-Life Dedicated Server should only give trusted users access levels that permit executing the
exec commands, and should watch the Sierra web site for updates. In addition, due to the buffer overflow in the configuration-file parsing code, they should only load modifications from trusted sources.
There is a buffer overflow in the version of the Solaris SNMP (Simple Network Management Protocol) agent installed on the System Server Processor of a Sun E10K as part of the SUNWsspop package. It is possible but unlikely that this buffer overflow can be exploited to gain root privileges.
Sun recommends that an E10K's SSPs be installed on a dedicated network and that only essential accounts are allowed on the SSP machines. The buffer overflow should be fixed in future releases of the SUNWsspop package.
SGML-Tools, a Standard Generalized Markup Language tools package included in many Linux distributions, does not securely create temporary files. This could allow other users of the system to read files being converted.
A version has been released that creates the temporary files securely.
vBulletin is a web-based forum system written in PHP. An attacker can use a carefully crafted URL to execute arbitrary PHP code as the user running the web server. This vulnerability affects versions prior to 1.1.5 and 2.0 beta 2.
It is recommended that users upgrade to version 1.1.6 or 2.0 beta3.
The 3D graphics library Mesa creates temporary files insecurely. This can be used by an attacker in a symbolic-link attack to overwrite arbitrary files on the system. This problem only affects the Utah-glx component of the Mesa package.
Users of the Mesa package should upgrade to a patched version as soon as possible.
Caldera Systems has announced that there are buffer overflows in OpenLinux 2.3's
imapd daemons. Due to a misconfiguration, these buffer overflows can allow a remote user to execute arbitrary commands as the user "nobody". This problem affects OpenLinux 2.3, OpenLinux eServer 2.3.1, and OpenLinux eDesktop 2.4.
Caldera Systems recommends that users upgrade to the latest packages for their system.
A system for configuring and maintaining large networks,
cfengine, has several format string vulnerabilities that can be exploited to execute arbitrary commands on the server with the permissions of the user running
cfengine (usually root).
cfengine should upgrade to version 1.6.3 or newer. If this is not possible, users should set up access controls to control connections to the
cfengine server using the
cfengine configuration file or packet filtering with
FTPFS is a Linux kernel module that allows the mounting of FTP file servers as read-only file systems. FTPFS does not properly check the bounds of parameters passed to it during the mounting of the FTP server. Under some circumstances this vulnerability could be used by a local user to crash the server.
Users should upgrade to the latest release of the FTPFS module.
Ikonboard is a web-based forum system written in Perl. A bug in the
help.cgi program can be used to read files on the system that are readable by the user executing the web server (usually user "nobody").
The authors of Ikonboard recommend that users upgrade to version 2.1.8.
Return to the Linux DevCenter.