RedHat releases updated piranha packages
----------------------------------------------------------------------------
----
SUMMARY
The GUI portion of Piranha may allow any remote attacker to execute
commands on the server. This may lead to remote compromise of the server,
as well as exposure or defacement of the website.
DETAILS
Relevant releases/architectures:
Red Hat Linux 6.2 - i386 alpha sparc
Piranha when it is installed generates a 'secure' web interface ID using
the HTML .htaccess method. The information for the account is placed in
/home/httpd/html/piranha/secure/passwords which was supposed to be
released with a blank password. In fact the password that is actually on
the CD is either 'q' or 'piranha'. It was intended that when the
administrator loaded the piranha package onto their box, that it was their
resonsibility to change that password. This is not a hidden account. It is
meerly used to protect the web pages from unauthorized access. The
security problem arises from the
/home/httpd/html/piranha/secure/passwd.php3 file from which it is possible
to execute commands by inserting them into the change password option eg
entering 'blah;/bin/command to execute' into the field, and again to
verify, everything after the semicolon is executed with the same privilege
as the webserver. It is possible at this point to compromise the webserver
or do serious damage to the site.
Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Temporarily, you should set a password on the web pages as should be done
when you first install the package for the sake of speed you can issue the
following command htpasswd -c -b /home/httpd/html/piranha/secure/passwords
piranha 'password of choice' In theory, this means only you have access to
that area and you are hardly likely to try and exploit the problem
yourself.
When you install the update for the piranha-gui, please take a moment to
login into the gui frontend and set a password on the account
(http://localhost/piranha)
Patch:
Red Hat Linux 6.2:
intel:
<ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1.i386.rpm>
ftp://updates.redhat.com/6.2/
i386/piranha-0.4.13-1.i386.rpm
<ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.13-1.i386.rpm>
ftp://updates.redhat.com/6.2/
i386/piranha-docs-0.4.13-1.i386.rpm
<ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm>
ftp://updates.redhat.com/6.2/
i386/piranha-gui-0.4.13-1.i386.rpm
alpha:
<ftp://updates.redhat.com/6.2/alpha/piranha-0.4.13-1.alpha.rpm>
ftp://updates.redhat.com/6.2/
alpha/piranha-0.4.13-1.alpha.rpm
<ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.13-1.alpha.rpm>
ftp://updates.redhat.com/6.2/
alpha/piranha-docs-0.4.13-1.alpha.rpm
<ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.13-1.alpha.rpm>
ftp://updates.redhat.com/6.2/
alpha/piranha-gui-0.4.13-1.alpha.rpm
sparc:
<ftp://updates.redhat.com/6.2/sparc/piranha-0.4.13-1.sparc.rpm>
ftp://updates.redhat.com/6.2/
sparc/piranha-0.4.13-1.sparc.rpm
<ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.13-1.sparc.rpm>
ftp://updates.redhat.com/6.2/
sparc/piranha-docs-0.4.13-1.sparc.rpm
<ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.13-1.sparc.rpm>
ftp://updates.redhat.com/6.2/
sparc/piranha-gui-0.4.13-1.sparc.rpm
sources:
<ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.13-1.src.rpm>
ftp://updates.redhat.com/6.2/
SRPMS/piranha-0.4.13-1.src.rpm
ADDITIONAL INFORMATION
The information was provided by: <mailto:[EMAIL PROTECTED]> Cristian
Gafton.
========================================
-------
AFLHI 058009990407128029/089802---(102598//991024)
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
