__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated PHP Packages Fix Bugs [Red Hat Security Advisory RHSA-2003:204-11] July 2, 2003 20:00 GMT Number N-112 ______________________________________________________________________________ PROBLEM: There are a number of bugs in PHP shipped with versions of Red Hat, and a minor security problem in the transparent session ID functionality. PLATFORM: Red Hat 8.0 and 9 DAMAGE: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. SOLUTION: Apply updated packages as stated in Red Hat's advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. PHP is an HTML-embedded scripting language ASSESSMENT: commonly used with the Apache HTTP server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-112.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-204.html ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2003:204-11 *****] Updated PHP packages are now available Advisory: RHSA-2003:204-11 Last updated on: 2003-07-02 Affected Products: Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0442 Security Advisory Details: Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. This update contains fixes for a number of bugs discovered in the version of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of a PHP script as an ErrorDocument and possible POST body corruption in some configurations. Also included is a fix for a minor security problem. In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to this issue. All users of PHP are advised to upgrade to these erratum packages, which contain back-ported patches to correct these issues. Updated packages: Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: php-4.2.2-8.0.8.src.rpm [ via FTP ] [ via HTTP ] 560ff87c3cde98119807757d132d0f45 i386: php-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] b10a6009feb81f9b1c82a697e0656493 php-devel-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] 943656c277ebc23c31255198c54a9a56 php-imap-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] 360bc50adeff3ea63c40dec86f508eb8 php-ldap-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] 6e43c48de793918288545ebf6a5aab4b php-manual-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] 14c477164b1817bbf7e0a871efc700ee php-mysql-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] bf9c4e99fadab5f93fc877e5b24ab9df php-odbc-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] dc07e9a995c5398f0d63cc8165862941 php-pgsql-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] eb067da7cdcbd8903f78565a06772160 php-snmp-4.2.2-8.0.8.i386.rpm [ via FTP ] [ via HTTP ] e59bf6e5be9d842d53b36dc8a94cd540 Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: php-4.2.2-17.2.src.rpm [ via FTP ] [ via HTTP ] 58d47e8d632568ae24904758346386e5 i386: php-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 99c255c7b720b618400b489963bc36eb php-devel-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] b97683331aa3fa14f468cf40bc702310 php-imap-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 2177a59347b9ac07ef1a05df1e3f6f64 php-ldap-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 46660b9266a2734569e31a603194297a php-manual-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] fd1ee7abe9ceb903c34f4906d8a2b84d php-mysql-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 0c468aa0865f6a1ee0a03b6b910d5a71 php-odbc-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 4bffd859248a76ca77cc62fce679c221 php-pgsql-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] 8e408afd7a2ba97943012d8e278d277d php-snmp-4.2.2-17.2.i386.rpm [ via FTP ] [ via HTTP ] ee20ed32d723e59fb37e2b9d7c06c953 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Bugs fixed: (see bugzilla for more information) 74761 - snmp module relocation error 82967 - POST body corruption in some configurations 84460 - pear/DB/pgsql.php incompatible with postgresql 7.3 84828 - exit() does not report correct exit code 85820 - ext/sockets.c has a bug in socket_write 91019 - ErrorDocument 401 /some_file.php does not work with apache2 91279 - Segfault using PHP with mod_negotiation References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442 http://shh.thathost.com/secadv/2003-05-11-php.txt Keywords: Cross-Site-Scripting, PHP, session, use_trans_sid -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End Red Hat Security Advisory RHSA-2003:204-11 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-102: Hewlett-Packard Potential Security Vulnerabilities in CDE N-103: Sun ONE Application Server May Disclose JavaServer Pages (JSP) Source N-104: Red Hat Updated KDE packages N-105: Sun "/usr/lib/utmp_update" Command Buffer Overflow Vulnerability N-106: SGI Websetup/Webmin Security Vulnerability N-107: PDF readers/viewers Malicious Hyperlinks Vulnerability N-108: Sun's XSun Program Buffer Overflow Vulnerability N-109: Microsoft Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution N-110: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes N-111: Red Hat Updated unzip Packages Fix Trojan Vulnerability