Buffer Overflows in PHP Forms and mod_ssl03/04/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a remote exploit
against PHP; buffer overflows in
mod_ssl, Apache-SSL, Chinput, the
Cryptographic File System daemon, and
xtell; and problems in Oracle,
netfilter's IRC DCC connection module, BRU, User Mode Linux, Xoops,
KICQ, SphereServer, and Open UNIX's and UnixWare's
- PHP Problems
- mod_ssl and Apache-SSL
- Oracle Remote Compromise
- IRC DCC Connection Tracking Helper Kernel Module
- User Mode Linux
- Cryptographic File System
- Open UNIX and UnixWare webtop
The PHP functions that deal with multipart/form-data POST requests have buffer overflows that can be used by a remote attacker to execute arbitrary code with the permissions of the user executing PHP. Versions 3.x and 4.x of PHP are reported to be vulnerable. The 4.20-dev branch of the PHP code available by CVS is not vulnerable.
It is recommended that users upgrade to version 4.1.2 or newer of PHP
as soon as possible. A possible work around for this problem is to
php.ini file and set
mod_ssl, a module that provides SSL (Secure Socket Layer) for the
Apache Web server, has a buffer overflow, in the session-caching code
dbm and shared memory, that may be exploitable using a large
Apache-SSL is also vulnerable to this buffer overflow. All versions of Apache-SSL prior to version 1.3.22+1.46 are reported to be vulnerable.
Users should upgrade
mod_ssl to version 2.8.7-1.3.23 or newer and
Apache-SSL to version 1.3.22+1.46 or newer as soon as possible.
Oracle 8 and 9 systems are vulnerable to a remote attack that can be used to execute any PL/SQL function in any library without a user ID or password.
If PL/SQL functionality is not needed, users should consider disabling
it by removing the proper entries from
It is also recommended that the Oracle server be placed behind a
firewall, configured to not allow unauthorized connections to the
listener, and that users watch Oracle for an update for this problem.
netfilter system in Linux kernels version 2.4.14 and later have a
IRC DCC connection tracking helper module that helps with outgoing IRC
DCC send requests. There is a problem in this module that can be
exploited, under some circumstances, by a remote attacker to make a
single connection from the outside network to the port specified in
the IRC DCC request on any host inside the protected network.
It is recommended that all affected users upgrade their Linux kernel to version 2.4.18-pre9 or newer or apply the available patches.
BRU is a system backup and restoration application designed to work with any backup device or file system. Some of the shell scripts provided with BRU are vulnerable to temporary-file symbolic-link race condition attacks that can be used by a local attacker to overwrite arbitrary files on the file system with the permissions of the user executing BRU (in many cases, root).
Users should watch for an update to BRU.
Users of Xoops should watch for an updated version.
Chinput is a Chinese input server that supports the XIM (X Input Method) protocol and a custom protocol. It has a buffer overflow that may be exploitable to gain root permissions.
Affected users should watch for an update to Chinput and should consider disabling it until it has been patched.
A bug in User Mode Linux can be used to break out of the "box" even if
jail option is activated.
It is recommended that User Mode Linux be executed with
root permissions or other special permissions.
KICQ, an IRC client for the KDE desktop, is vulnerable to a denial-of-service attack.
Users should watch their vendor for an updated version.
Several buffer overflows in the Cryptographic File System daemon
can be used to crash the daemon in a denial-of-service attack and may
be exploitable to execute arbitrary code as root.
Debian has released fixed versions: 1.3.3-8.1 for Debian Stable and 1.4.1-5 for the testing and unstable versions of Debian. Users of other Linux distributions should watch their vendor for an update.
SphereServer is a Ultima Online role-playing server for Linux, FreeBSD, and Win32. A flaw in SphereServer can be exploited to hold all available connections and deny service to other users.
Users should watch MenaSoft for a fix for this problem.
xtell, a network-enabled
tell client, is vulnerable to buffer
overflows and other problems that may be exploitable by a remote
attacker to execute arbitrary code with the permissions of the user running
xtell. A script has been released that automates a
remote exploit against
xtell. It has been reported that
vulnerable through version 2.6.1.
It is recommended that users upgrade
xtell to version 2.7 or disable it
as soon as possible.
webtop application distributed with Open Unix 8.0.0 and UnixWare 7
contains set user id root scripts that, according to Caldera, "may be
used to gain root privileges."
Caldera recommends that users remove the set user id bits from the scripts:
webtop is not needed. If
webtop is needed, Caldera recommends that the binaries be replaced.
Read more Security Alerts columns.
Return to the Linux DevCenter.