oreilly.comSafari Books Online.Conferences.


Security Alerts PHP Injection Attack

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at an injection attack against PHP; several problems in KDE and Konqueror; buffer overflows in gain, kadmin, multiple applications in Tru64, and Ethereal; and problems in cacti, mhonarc, wordtrans, scrollkeeper, and the Cisco VPN Client.


The PHP scripting language has CR/LF injection attack vulnerabilities that can be exploited to add additional HTTP headers to a query. Under some circumstances, these vulnerabilities can be used to open arbitrary Internet connections.

Users should watch for an update to PHP that repairs this problem. One possible workaround that will reduce some of the functionality of PHP on a server is to set allow_url_fopen to off in php.ini.

Problems in KDE and Konqueror

Several problems have been reported that affect either KDE or the Konqueror Web browser. These include:

Cross-Site Scripting Vulnerability in Konqueror

A cross-site scripting vulnerability in Konqueror can be exploited by an attacker to steal cookies and execute arbitrary JavaScript code.

A patch has been released for kdelibs for KDE 3.0.3 and 2.2.2 that repairs the cross-site scripting vulnerability in Konqueror. Users should upgrade to kdelibs-3.0.3a or apply the patches.

Insecure Cookies in Konqueror

Under some conditions, Konqueror will send a cookie in the clear that should be encrypted. This is caused by Konqueror not properly recognizing the secure cookie flag. This problem appears to affect Konqueror browsers in versions of Konqueror distributed with KDE 3.0, 3.0.1, and 3.0.2.

It is recommended that users upgrade to KDE version 3.0.3 or apply the patches available for KDE versions 3.0, 3.0.1, and 3.0.2.

KDE's SSL (kdelibs)

A problem in the implementation of SSL under KDE can result in an invalid certificate being accepted as proper, and lead to man-in-the-middle-style attacks on SSL-enabled KDE software.

Users should upgrade to KDE 3.0.3 or apply a patch to kdelibs available for KDE 2.2.2. After upgrading kdelibs, KDE must be restarted so that the change can take effect.

Related Reading

Unix Power Tools
By Shelley Powers, Jerry Peek, Tim O'Reilly, Mike Loukides


The AOL instant messenger client gaim has a buffer overflow and a vulnerability in code that handles URLs. These vulnerabilities could lead to arbitrary execution of code on the machine running gaim. Versions earlier than 0.58 are reported to be vulnerable.

Users should upgrade to version 0.58 or newer as soon as possible.


cacti, a Web-based front end for rrdtool written using PHP, is vulnerable to an attack that can be used to execute arbitrary code on the server with the permissions of the user running the Web server. It has been reported that this vulnerability can only be exploited by cacti users with administrator privileges.

It is recommended that users upgrade to a repaired version as soon as possible.


It has been reported that there is a buffer overflow in Kerberos 5 that may be exploitable by a remote attacker to execute arbitrary code on the server with, in many cases, root permissions. It is thought that an attacker must be able to log in to kadmin prior to executing their attack.

Affected users should upgrade to a repaired package as soon as possible. Mandrake has released an updated package that repairs this problem.


Cross-site-scripting-style attacks have been found against the mail-to-HTML converter mhonarc. These attacks could be used to steal cookies and execute arbitrary code in a user's Web browser.

Users should upgrade to mhonarc version 2.5.3.


wordtrans, a package used to search multi-lingual dictionaries using a Web browser, has problems that can be used to execute arbitrary code as the Web server user and used in a cross-site scripting attack. It has been reported that these problems affect versions of wordtrans through 1.1pre8.

It is recommended that users install a repaired version as soon as possible. Red Hat has released an updated package for Red Hat Linux 7.3.


The Ethereal network sniffer is vulnerable to a buffer overflow that can be exploited by a remote attacker by the creation of a specially-crafted network packet.

This vulnerability is reported to only result in a denial of service against Ethereal, but as network sniffers normally are run with root permissions and many vulnerabilities are reported to be a denial-of-service attack and later turn out to be of much greater risk, it is recommended that this vulnerability and others like it be treated as if it were a remote root hole.

Users should upgrade to a repaired version as soon as possible and should consider disabling Ethereal until it has been upgraded.

Cisco VPN Client

The Cisco VPN Client is used to set up a secure connection to a remote network. Multiple vulnerabilities have been found that can be exploited in a denial-of-service attack, to leak information about the client, to disclose the group password, and used in a man-in-the-middle attack.

It is recommended that users contact Cisco for details on these vulnerabilities and for patches to repair them.


The scrollkeeper-get-cl utility is vulnerable to a symbolic-link race condition that can be exploited by a local attacker to overwrite files writable by the user running scrollkeeper-get-cl. scrollkeeper-get-cl is executed when a Gnome session is started.

Affected users should upgrade scrollkeeper as soon as possible.

Buffer Overflows in Tru64

It has been reported that multiple buffer overflows are present in applications distributed with Tru64. The reported applications include: dtprintinfo, dtsession, dtaction, dtterm, dxsysinfo, dxconsole, dxpause, dxterm, dxchpwd, edauth, imapd, msgchk, deliver, rdist, uucp, uux, and su. Tru64 is shipped with a non-exec stack that is designed to protect against buffer overflow attacks, but it has been reported that this can be bypassed and that, under some conditions, the vulnerable applications can be exploited to gain additional privileges.

Users should contact Compaq for a resolution to these problems.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: