Debian: PHP multipule vulnerabilities

    Date19 Sep 2002
    CategoryDebian
    2837
    Posted ByLinuxSecurity Advisories
    It is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 168-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    September 18th, 2002                     http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : PHP3, PHP4
    Vulnerability  : bypassing safe_mode, CRLF injection
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CAN-2002-0985 CAN-2002-0986
    BugTraq ID     : 5681
    
    Wojciech Purczynski found out that it is possible for scripts to pass
    arbitrary text to sendmail as commandline extension when sending a
    mail through PHP even when safe_mode is turned on.  Passing 5th
    argument should be disabled if PHP is configured in safe_mode, which
    is the case for newer PHP versions and for the versions below.  This
    does not affect PHP3, though.
    
    Wojciech Purczynski also found out that arbitrary ASCII control
    characters may be injected into string arguments of mail() function.
    If mail() arguments are taken from user's input it may give the user
    ability to alter message content including mail headers.
    
    Ulf Harnhammar discovered that file() and fopen() are vulnerable to
    CRLF injection.  An attacker could use it to escape certain
    restrictions and add arbitrary text to alleged HTTP requests that are
    passed through.
    
    However this only happens if something is passed to these functions
    which is neither a valid file name nor a valid url.  Any string that
    contains control chars cannot be a valid url.  Before you pass a
    string that should be an url to any function you must use urlencode()
    to encode it.
    
    Three problems have been identified in PHP:
    
    1. The mail() function can allow arbitrary email headers to be
       specified if a recipient address or subject contains CR/LF
       characters.
    
    2. The mail() function does not properly disable the passing of
       arbitrary command-line options to sendmail when running in Safe
       Mode.
    
    3. The fopen() function, when retrieving a URL, can allow manipulation
       of the request for the resource through a URL containing CR/LF
       characters.  For example, headers could be added to an HTTP
       request.
    
    These problems have been fixed in version 3.0.18-23.1woody1 for PHP3
    and 4.1.2-5 for PHP4 for the current stable distribution (woody), in
    version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in
    the old stable distribution (potato) and in version 3.0.18-23.2 for
    PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid).
    
    We recommend that you upgrade your PHP packages.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 2.2 alias potato
    - ---------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc
          Size/MD5 checksum:     1079 82d2b9adff31130eafe78fe9c647d098
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz
          Size/MD5 checksum:    39264 e44f4917ce887f53ac7019ab4e3692ba
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz
          Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc
          Size/MD5 checksum:     1125 e9b5dbf3554c63dd654e69c83da63a97
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz
          Size/MD5 checksum:   134587 9a862082a0b60f6e2f0fa9c993d3ff19
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz
          Size/MD5 checksum:  2214630 e65b706a7fc4469d1ccd564ef8a2c534
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb
          Size/MD5 checksum:   438822 748bb657dff328c22920c186e2ab83a1
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb
          Size/MD5 checksum:   619332 e9dca7c64949f2d635ff5ed7da682c5d
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb
          Size/MD5 checksum:   520090 76a0ac1f943c108f28a4238723415367
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb
          Size/MD5 checksum:   868874 b8041d6976c11fbb63d0481869351658
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb
          Size/MD5 checksum:   379276 3900254a218ea8b08f12adcee5826978
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_arm.deb
          Size/MD5 checksum:   490638 de60ee781cd3e2dc820fef82a1fe08a8
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_i386.deb
          Size/MD5 checksum:   359858 6ee0615cac086a0da432ed40e0edab68
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_i386.deb
          Size/MD5 checksum:   458174 be4d1d9c54ba0207f39dedfaaaa7d748
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_i386.deb
          Size/MD5 checksum:   412254 37751e39ac9688d17965cf947ed7f6fc
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_i386.deb
          Size/MD5 checksum:   635076 b1dfc5587ea2719ff5a789fc02bc27ec
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_m68k.deb
          Size/MD5 checksum:   355170 9b7fef1df1cc28988eb3f7fdde94dd61
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_m68k.deb
          Size/MD5 checksum:   429244 1aec470dce3cc9babe341661c7023281
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_m68k.deb
          Size/MD5 checksum:   408462 29b1bc7739a65d4ebd95d848bccbaf5c
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_m68k.deb
          Size/MD5 checksum:   592990 2d3fbdc339ba1692d1c7e98fc50b9920
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_powerpc.deb
          Size/MD5 checksum:   380012 c2990c5ec38b1fc4d218a51c750f9963
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_powerpc.deb
          Size/MD5 checksum:   492568 eebeab3f920fad4812f418045750a489
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_powerpc.deb
          Size/MD5 checksum:   451892 54e8183df00abee5c8498b4caed0a679
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_powerpc.deb
          Size/MD5 checksum:   689728 bd2aeebd0605f35395106a4ce0c76cef
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_sparc.deb
          Size/MD5 checksum:   371252 f3a0fb13377a8b5b67a851d2c204b87d
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_sparc.deb
          Size/MD5 checksum:   483476 e749a895f8e9d429d7e3d6eb0f35a945
         http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_sparc.deb
          Size/MD5 checksum:   435060 be65d0d8c66e0bdcf5aa3a337a019ea6
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_sparc.deb
          Size/MD5 checksum:   665368 2670abfe8104e7b93ce3eb82f82783ef
    
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1.dsc
          Size/MD5 checksum:     1113 defbd05ac28342105ddf3c40287c5d83
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1.diff.gz
          Size/MD5 checksum:    56097 8b4c799d1802043c427c4072a8426370
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz
          Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5.dsc
          Size/MD5 checksum:     1555 d499095a9ce5eaaa742c5e255935b162
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5.diff.gz
          Size/MD5 checksum:    87169 28eefab5c9a744844c99c5634512d21d
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2.orig.tar.gz
          Size/MD5 checksum:  3346579 37e67552bec20e6f02d52e14a11aa269
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_alpha.deb
          Size/MD5 checksum:   401238 8586e692ca92764162cf70df945be846
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_alpha.deb
          Size/MD5 checksum:   617530 cbf6b0a9ef2f301dc59a0769e801be13
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_alpha.deb
          Size/MD5 checksum:   712770 91e0fce43423f80bd88e6578e161ea6a
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_alpha.deb
          Size/MD5 checksum:   694394 97ae10670e4f0fe04ccfb61effaadba1
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_alpha.deb
          Size/MD5 checksum:  1292980 3ab48b33724395b5dc647928e1cbe307
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_arm.deb
          Size/MD5 checksum:   371882 057479ece77bd2fa7852397d0a6e9747
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_arm.deb
          Size/MD5 checksum:   494742 93b09582be5f56755c0e214e0a68d534
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_arm.deb
          Size/MD5 checksum:   652346 fc06fdf3679e7282fb0f0a9319589604
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_arm.deb
          Size/MD5 checksum:   625852 7171107322617498e3e153aae73ba21f
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_arm.deb
          Size/MD5 checksum:  1076126 96ce32ae8083cce65c508f320a238c29
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_i386.deb
          Size/MD5 checksum:   361032 ac76b9d6c6fd1077a3a45f948f099e96
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_i386.deb
          Size/MD5 checksum:   461052 cb86db223af4f7a46801b44fd83a1a3d
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_i386.deb
          Size/MD5 checksum:   597540 eacc0fd36d2d564cdb086542e05edb25
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_i386.deb
          Size/MD5 checksum:   582018 b012d4f2cf0778f5156e27062cc01436
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_i386.deb
          Size/MD5 checksum:   990122 89904ac6614f385d319cecc599501e3e
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_ia64.deb
          Size/MD5 checksum:   484866 ebc82ed226f7529b076224645af18485
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_ia64.deb
          Size/MD5 checksum:   753408 53354e05af67a4297c056545855e20fc
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_ia64.deb
          Size/MD5 checksum:   919602 f3c837dc49eaf6c2e39dd2292d851142
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_ia64.deb
          Size/MD5 checksum:   888678 1a01c7e9bbb8341e7c3b3741bd86d3aa
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_ia64.deb
          Size/MD5 checksum:  1600476 8f19c0af9708e53c6532645e4c886ef1
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_hppa.deb
          Size/MD5 checksum:   404392 9835e7434e1948ef9c2250f079993715
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_hppa.deb
          Size/MD5 checksum:   567200 5db5b1b5b3f7aa14f4a8d12863c156f1
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_hppa.deb
          Size/MD5 checksum:   756828 2f6dad96f5f72a162552fbbc910f0a9b
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_hppa.deb
          Size/MD5 checksum:   733924 e1b0b805d489f0315aeda262bcff2e9e
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_hppa.deb
          Size/MD5 checksum:  1211938 cc1f5afd4421b45f89fe9e845645ad69
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_m68k.deb
          Size/MD5 checksum:   357180 d7907f7aa2b5004e99b30ad8f61d304a
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_m68k.deb
          Size/MD5 checksum:   432586 e97d5d0aaa7add1be1131db274e80520
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_m68k.deb
          Size/MD5 checksum:   580528 f285c81661ec9c306f28cec5a2018f22
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_m68k.deb
          Size/MD5 checksum:   572374 0bed8e2be0fabc5d25c3868c9b374a2f
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_m68k.deb
          Size/MD5 checksum:   932280 2b2edee95d27b9e72f6c4087b0e92b9f
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_mips.deb
          Size/MD5 checksum:   363314 db293eaf7b775ed38ebf3642a1fad145
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_mips.deb
          Size/MD5 checksum:   509394 13cb1c6fb08b570eeb2ca9fb5b81c20e
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_mips.deb
          Size/MD5 checksum:   614724 432bfb1730842f7a858e9336af0436b6
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_mips.deb
          Size/MD5 checksum:   606654 b19a832117357ca211e9cfbeabc8153c
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_mips.deb
          Size/MD5 checksum:  1095146 c28c09e8f6f7c06d456071d055430eac
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_mipsel.deb
          Size/MD5 checksum:   362218 dc30c2f819623b5340a00e920f10f790
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_mipsel.deb
          Size/MD5 checksum:   507712 a5f46c32f5da4bd0d6578cb387948094
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_mipsel.deb
          Size/MD5 checksum:   609260 5eec777e950f7dc7bfe0042367e4109f
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_mipsel.deb
          Size/MD5 checksum:   602190 be8c7a63af072069984092434778b63a
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_mipsel.deb
          Size/MD5 checksum:  1089242 7b160f6ea1df6567c66914e466c0c3a2
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_powerpc.deb
          Size/MD5 checksum:   376530 6192fa01d1af74c451b9aaf3470ff857
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_powerpc.deb
          Size/MD5 checksum:   496076 1391775799a9cc8f09ea255f75310d0e
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_powerpc.deb
          Size/MD5 checksum:   652486 6e5dc8f02eee61bee99427a4f1bd014e
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_powerpc.deb
          Size/MD5 checksum:   637170 47de6b9690e3f19736e61643b32d1208
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_powerpc.deb
          Size/MD5 checksum:  1070680 7621d9244328daad7bd9f7d6a9060076
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_s390.deb
          Size/MD5 checksum:   371208 a86144204858b5af173a234428e28b44
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_s390.deb
          Size/MD5 checksum:   466596 1754b68279b062b4672c1f1ea967dec9
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_s390.deb
          Size/MD5 checksum:   630600 3314fd48a26554070d683531509fa805
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_s390.deb
          Size/MD5 checksum:   622616 763bdd50ed1f48194fca4e40d69c0cb9
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_s390.deb
          Size/MD5 checksum:  1000670 ae235537507a7cae42055c66e0dbab72
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_sparc.deb
          Size/MD5 checksum:   374664 30080342e0bac88b49f08d41a4454d29
         http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_sparc.deb
          Size/MD5 checksum:   489124 f50f94c018b0f3b59684edf7fdb1becc
         http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-5_sparc.deb
          Size/MD5 checksum:   629056 1504b0dfe0bbfe5d2da939d4c7cdcd18
         http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-5_sparc.deb
          Size/MD5 checksum:   614222 0c5cc999484624f6be5caadfee833490
         http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-5_sparc.deb
          Size/MD5 checksum:  1032494 b7fae376a617c97dc95724f16ce4b82c
    
      Please note that the source packages mentioned above produce more
      binary packages than the ones listed above.  They are not relevant
      for the fixed problems, though.
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"40","type":"x","order":"1","pct":48.78,"resources":[]},{"id":"88","title":"Should be more technical","votes":"13","type":"x","order":"2","pct":15.85,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"29","type":"x","order":"3","pct":35.37,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.