5034461 2000-04-24 22:52 /179 rader/ Postmaster
Mottagare: Red Hat Announce (import) <1470>
Ärende: SECURITY: [RHSA-2000:014-10] Updated piranha packages available
------------------------------------------------------------
MBOX-Line: From redhat-announce-list-request@redhat.com Mon Apr 24 16:33:47 2000
Resent-Date: 24 Apr 2000 20:33:44 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Mon Apr 24 16:33:42 2000
Date: Mon, 24 Apr 2000 16:33:32 -0400 (EDT)
From: Cristian Gafton <gafton@redhat.com>
X-Sender: gafton@alien.devel.redhat.com
To: redhat-watch-list@redhat.com
cc: Linux Security <linux-security@redhat.com>, BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0004241630230.20124-100000@alien.devel.redhat.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-Message-ID: <"IwQfv1.0.523.c-A1v"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/51
X-Loop: redhat-watch-list@redhat.com
X-URL: http://www.redhat.com
X-Loop: redhat-announce-list@redhat.com
Precedence: list
Resent-Sender: redhat-announce-list-request@redhat.com
X-URL: http://www.redhat.com
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-10
Issue date: 2000-04-18
Updated on: 2000-04-24
Product: Red Hat Linux
Keywords: piranha remote CGI command
Cross references: php
- ---------------------------------------------------------------------
1. Topic:
The GUI portion of Piranha may allow any remote attacker to execute
commands on the server. This may lead to remote compromise of the
server, as well as exposure or defacement of the website.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386 alpha sparc
3. Problem description:
Piranha when it is installed generates a 'secure' web interface ID
using the HTML .htaccess method. The information for the account is
placed in /home/httpd/html/piranha/secure/passwords which was
supposed to be released with a blank password. In fact the password
that is actually on the CD is either 'q' or 'piranha'. It was
intended that when the administrator loaded the piranha package onto
their box, that it was their resonsibility to change that
password. This is not a hidden account. It is meerly used to protect
the web pages from unauthorized access. The security problem arises
from the /home/httpd/html/piranha/secure/passwd.php3 file from which
it is possible to execute commands by inserting them into the change
password option eg entering 'blah;/bin/command to execute' into the
field, and again to verify, everything after the semicolon is
executed with the same privilege as the webserver. It is possible at
this point to compromise the webserver or do serious damage to the
site.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Temporarily, you should set a password on the web pages as should be
done when you first install the package for the sake of speed you can
issue the following command htpasswd -c -b
/home/httpd/html/piranha/secure/passwords piranha 'password of
choice' In theory, this means only you have access to that area and
you are hardly likely to try and exploit the problem yourself.
When you install the update for the piranha-gui, please take a moment
to login into the gui frontend and set a password on the account
(http://localhost/piranha)
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
N/A
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.2:
intel:
ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/piranha-0.4.13-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.13-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.13-1.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/piranha-0.4.13-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.13-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.13-1.sparc.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.13-1.src.rpm
9. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
ece87b0ed6f01a87b954b980c115aec0 6.2/SRPMS/piranha-0.4.13-1.src.rpm
985ff7d09172f4bfcc17c8044bee7fe8 6.2/alpha/piranha-0.4.13-1.alpha.rpm
9804348b4dc73ab82a7624c404afb930 6.2/alpha/piranha-docs-0.4.13-1.alpha.rpm
c1e536a9d14422115a89d2d56bf93926 6.2/alpha/piranha-gui-0.4.13-1.alpha.rpm
f2db6f165f21f93e9b724a94cd3fc595 6.2/i386/piranha-0.4.13-1.i386.rpm
bd54eb595f2a535e52486e799715ce00 6.2/i386/piranha-docs-0.4.13-1.i386.rpm
ad9fb552616a221db26b92b668211a30 6.2/i386/piranha-gui-0.4.13-1.i386.rpm
b9cb5cddd6e0cd99fc47eb56a06319a0 6.2/sparc/piranha-0.4.13-1.sparc.rpm
98313aa873dffe9c0520e3ad4862f2f5 6.2/sparc/piranha-docs-0.4.13-1.sparc.rpm
06cdba77a7f128e48a7c3d15c0cf9bcc 6.2/sparc/piranha-gui-0.4.13-1.sparc.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
This vulnerability was discovered and researched by Allen Wilson and
Dan Ingevaldson of Internet Security Systems. Red Hat would like to
thank ISS for the assistance in getting this problem fixed quickly.
Cristian
- --
- ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOQSvofGvxKXU9NkBAQHwHQP/efMrg4JQGhU9iBMenU9ldu3bgX+uTNJN
phgVVZ11OsbTYw0OOLHT0uoWtxiTouaE9dYtAHsioOONro1guoSrDkL1aJYn8GdZ
Z4h8iSi+RlfgEFcfvkI5onllcwWkZeevv68qa4GwQBPPXEbNUGiR4KBTlEsuqUjA
2xhGtjqrKd4=
=EYh9
-----END PGP SIGNATURE-----
--
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.
-- To unsubscribe: mail -s unsubscribe
redhat-announce-list-request@redhat.com < /dev/null
(5034461) ------------------------------------------(Ombruten)