-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
[EMAIL PROTECTED]                         [EMAIL PROTECTED]
OpenPKG-SA-2003.010                                          18-Feb-2003
________________________________________________________________________

Package:             php, apache
Vulnerability:       arbitrary file access and code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      == php-4.3.0-20030115       >= php-4.3.1-20030218
                     <= apache-1.3.27-20030212   >= apache-1.3.27-20030218
                     >= apache-1.3.27-20021228   >= apache-1.3.27-20030218
OpenPKG 1.2          == php-4.3.0-1.2.0          >= php-4.3.0-1.2.1
                     == apache-1.3.27-1.2.0      >= apache-1.3.27-1.2.1
OpenPKG 1.1          none                        N.A.

Dependent Packages:  none

Description:
  Kosmas Skiadopoulos discovered a serious security vulnerability [0]
  in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for
  preventing direct access to the CGI binary with configure option
  "--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect".
  In PHP 4.3.0 there is a bug which renders these options useless.
  Please note that this bug does NOT affect any of the other SAPI
  modules such as the Apache or ISAPI modules.

  Anyone with access to websites hosted on a web server which employs
  the CGI module may exploit this vulnerability to gain access to any
  file readable by the user under which the webserver runs. A remote
  attacker could also trick PHP into executing arbitrary PHP code if
  attacker is able to inject the code into files accessible by the CGI.
  This could be for example the web server access-logs.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  php apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_php".
  If you have either the "php" or "apache" with option "with_mod_php"
  packages installed and their version is affected (see above), we
  recommend that you immediately upgrade (see Solution) [2][3].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [4][5], fetch it from the OpenPKG FTP service [6] or a mirror location,
  verify its integrity [7], build a corresponding binary RPM from it [2]
  and update your OpenPKG installation by applying the binary RPM [3].
  For the release OpenPKG 1.2, perform the following operations to
  permanently fix the security problem for apache with mod_php. For
  other releases adjust this recipe accordingly.

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.2/UPD
  ftp> get apache-1.3.27-1.2.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm
  $ <prefix>/bin/rpm --rebuild --define 'with_mod_php yes' \
        apache-1.3.27-1.2.1.src.rpm 
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.27-1.2.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.php.net/release_4_3_1.php
  [1] http://www.php.net/
  [2] http://www.openpkg.org/tutorial.html#regular-source
  [3] http://www.openpkg.org/tutorial.html#regular-binary
  [4] ftp://ftp.openpkg.org/release/1.2/UPD/php-4.3.0-1.2.1.src.rpm
  [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.2/UPD/
  [7] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[EMAIL PROTECTED]>

iD8DBQE+Ul0CgHWT4GPEy58RAiylAJ0UMcYLUNYbOOl1oFIuqfAxWALcagCgxUsx
I0CUzWnNLnX57B9wHXCwWWQ=
=dpIT
-----END PGP SIGNATURE-----

Reply via email to