Description:
Kosmas Skiadopoulos discovered a serious security vulnerability [0]
in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for
preventing direct access to the CGI binary with configure option
"--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect".
In PHP 4.3.0 there is a bug which renders these options useless.
Please note that this bug does NOT affect any of the other SAPI
modules such as the Apache or ISAPI modules.
Anyone with access to websites hosted on a web server which employs
the CGI module may exploit this vulnerability to gain access to any
file readable by the user under which the webserver runs. A remote
attacker could also trick PHP into executing arbitrary PHP code if
attacker is able to inject the code into files accessible by the CGI.
This could be for example the web server access-logs.
Please check whether you are affected by running "<prefix>/bin/rpm -q
php apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_php".
If you have either the "php" or "apache" with option "with_mod_php"
packages installed and their version is affected (see above), we
recommend that you immediately upgrade (see Solution) [2][3].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4][5], fetch it from the OpenPKG FTP service [6] or a mirror location,
verify its integrity [7], build a corresponding binary RPM from it [2]
and update your OpenPKG installation by applying the binary RPM [3].
For the release OpenPKG 1.2, perform the following operations to
permanently fix the security problem for apache with mod_php. For
other releases adjust this recipe accordingly.
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get apache-1.3.27-1.2.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm
$ <prefix>/bin/rpm --rebuild --define 'with_mod_php yes' apache-1.3.27-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.27-1.2.1.*.rpm
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg (at) openpkg (dot) org [email concealed]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security (at) openpkg (dot) org [email concealed] openpkg (at) openpkg (dot) org [email concealed]
OpenPKG-SA-2003.010 18-Feb-2003
________________________________________________________________________
Package: php, apache
Vulnerability: arbitrary file access and code execution
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT == php-4.3.0-20030115 >= php-4.3.1-20030218
<= apache-1.3.27-20030212 >= apache-1.3.27-20030218
>= apache-1.3.27-20021228 >= apache-1.3.27-20030218
OpenPKG 1.2 == php-4.3.0-1.2.0 >= php-4.3.0-1.2.1
== apache-1.3.27-1.2.0 >= apache-1.3.27-1.2.1
OpenPKG 1.1 none N.A.
Dependent Packages: none
Description:
Kosmas Skiadopoulos discovered a serious security vulnerability [0]
in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for
preventing direct access to the CGI binary with configure option
"--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect".
In PHP 4.3.0 there is a bug which renders these options useless.
Please note that this bug does NOT affect any of the other SAPI
modules such as the Apache or ISAPI modules.
Anyone with access to websites hosted on a web server which employs
the CGI module may exploit this vulnerability to gain access to any
file readable by the user under which the webserver runs. A remote
attacker could also trick PHP into executing arbitrary PHP code if
attacker is able to inject the code into files accessible by the CGI.
This could be for example the web server access-logs.
Please check whether you are affected by running "<prefix>/bin/rpm -q
php apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_php".
If you have either the "php" or "apache" with option "with_mod_php"
packages installed and their version is affected (see above), we
recommend that you immediately upgrade (see Solution) [2][3].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4][5], fetch it from the OpenPKG FTP service [6] or a mirror location,
verify its integrity [7], build a corresponding binary RPM from it [2]
and update your OpenPKG installation by applying the binary RPM [3].
For the release OpenPKG 1.2, perform the following operations to
permanently fix the security problem for apache with mod_php. For
other releases adjust this recipe accordingly.
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get apache-1.3.27-1.2.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm
$ <prefix>/bin/rpm --rebuild --define 'with_mod_php yes' apache-1.3.27-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.27-1.2.1.*.rpm
________________________________________________________________________
References:
[0] http://www.php.net/release_4_3_1.php
[1] http://www.php.net/
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] http://www.openpkg.org/tutorial.html#regular-binary
[4] ftp://ftp.openpkg.org/release/1.2/UPD/php-4.3.0-1.2.1.src.rpm
[5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.1.src.rpm
[6] ftp://ftp.openpkg.org/release/1.2/UPD/
[7] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg (at) openpkg (dot) org [email concealed]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg (at) openpkg (dot) org [email concealed]>
iD8DBQE+Ul0CgHWT4GPEy58RAiylAJ0UMcYLUNYbOOl1oFIuqfAxWALcagCgxUsx
I0CUzWnNLnX57B9wHXCwWWQ=
=dpIT
-----END PGP SIGNATURE-----
[ reply ]