Linux Security
    Linux Security
    Linux Security

    Debian: PHP multipule vulnerabilities

    Date 19 Sep 2002
    Posted By LinuxSecurity Advisories
    It is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 168-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.                             Martin Schulze
    September 18th, 2002           
    - --------------------------------------------------------------------------
    Package        : PHP3, PHP4
    Vulnerability  : bypassing safe_mode, CRLF injection
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CAN-2002-0985 CAN-2002-0986
    BugTraq ID     : 5681
    Wojciech Purczynski found out that it is possible for scripts to pass
    arbitrary text to sendmail as commandline extension when sending a
    mail through PHP even when safe_mode is turned on.  Passing 5th
    argument should be disabled if PHP is configured in safe_mode, which
    is the case for newer PHP versions and for the versions below.  This
    does not affect PHP3, though.
    Wojciech Purczynski also found out that arbitrary ASCII control
    characters may be injected into string arguments of mail() function.
    If mail() arguments are taken from user's input it may give the user
    ability to alter message content including mail headers.
    Ulf Harnhammar discovered that file() and fopen() are vulnerable to
    CRLF injection.  An attacker could use it to escape certain
    restrictions and add arbitrary text to alleged HTTP requests that are
    passed through.
    However this only happens if something is passed to these functions
    which is neither a valid file name nor a valid url.  Any string that
    contains control chars cannot be a valid url.  Before you pass a
    string that should be an url to any function you must use urlencode()
    to encode it.
    Three problems have been identified in PHP:
    1. The mail() function can allow arbitrary email headers to be
       specified if a recipient address or subject contains CR/LF
    2. The mail() function does not properly disable the passing of
       arbitrary command-line options to sendmail when running in Safe
    3. The fopen() function, when retrieving a URL, can allow manipulation
       of the request for the resource through a URL containing CR/LF
       characters.  For example, headers could be added to an HTTP
    These problems have been fixed in version 3.0.18-23.1woody1 for PHP3
    and 4.1.2-5 for PHP4 for the current stable distribution (woody), in
    version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in
    the old stable distribution (potato) and in version 3.0.18-23.2 for
    PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid).
    We recommend that you upgrade your PHP packages.
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    Debian GNU/Linux 2.2 alias potato
    - ---------------------------------
      Source archives:
          Size/MD5 checksum:     1079 82d2b9adff31130eafe78fe9c647d098
          Size/MD5 checksum:    39264 e44f4917ce887f53ac7019ab4e3692ba
          Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
          Size/MD5 checksum:     1125 e9b5dbf3554c63dd654e69c83da63a97
          Size/MD5 checksum:   134587 9a862082a0b60f6e2f0fa9c993d3ff19
          Size/MD5 checksum:  2214630 e65b706a7fc4469d1ccd564ef8a2c534
      Alpha architecture:
          Size/MD5 checksum:   438822 748bb657dff328c22920c186e2ab83a1
          Size/MD5 checksum:   619332 e9dca7c64949f2d635ff5ed7da682c5d
          Size/MD5 checksum:   520090 76a0ac1f943c108f28a4238723415367
          Size/MD5 checksum:   868874 b8041d6976c11fbb63d0481869351658
      ARM architecture:
          Size/MD5 checksum:   379276 3900254a218ea8b08f12adcee5826978
          Size/MD5 checksum:   490638 de60ee781cd3e2dc820fef82a1fe08a8
      Intel IA-32 architecture:
          Size/MD5 checksum:   359858 6ee0615cac086a0da432ed40e0edab68
          Size/MD5 checksum:   458174 be4d1d9c54ba0207f39dedfaaaa7d748
          Size/MD5 checksum:   412254 37751e39ac9688d17965cf947ed7f6fc
          Size/MD5 checksum:   635076 b1dfc5587ea2719ff5a789fc02bc27ec
      Motorola 680x0 architecture:
          Size/MD5 checksum:   355170 9b7fef1df1cc28988eb3f7fdde94dd61
          Size/MD5 checksum:   429244 1aec470dce3cc9babe341661c7023281
          Size/MD5 checksum:   408462 29b1bc7739a65d4ebd95d848bccbaf5c
          Size/MD5 checksum:   592990 2d3fbdc339ba1692d1c7e98fc50b9920
      PowerPC architecture:
          Size/MD5 checksum:   380012 c2990c5ec38b1fc4d218a51c750f9963
          Size/MD5 checksum:   492568 eebeab3f920fad4812f418045750a489
          Size/MD5 checksum:   451892 54e8183df00abee5c8498b4caed0a679
          Size/MD5 checksum:   689728 bd2aeebd0605f35395106a4ce0c76cef
      Sun Sparc architecture:
          Size/MD5 checksum:   371252 f3a0fb13377a8b5b67a851d2c204b87d
          Size/MD5 checksum:   483476 e749a895f8e9d429d7e3d6eb0f35a945
          Size/MD5 checksum:   435060 be65d0d8c66e0bdcf5aa3a337a019ea6
          Size/MD5 checksum:   665368 2670abfe8104e7b93ce3eb82f82783ef
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
      Source archives:
          Size/MD5 checksum:     1113 defbd05ac28342105ddf3c40287c5d83
          Size/MD5 checksum:    56097 8b4c799d1802043c427c4072a8426370
          Size/MD5 checksum:  2203818 da541ac71d951c47a011ceb26664ba2d
          Size/MD5 checksum:     1555 d499095a9ce5eaaa742c5e255935b162
          Size/MD5 checksum:    87169 28eefab5c9a744844c99c5634512d21d
          Size/MD5 checksum:  3346579 37e67552bec20e6f02d52e14a11aa269
      Alpha architecture:
          Size/MD5 checksum:   401238 8586e692ca92764162cf70df945be846
          Size/MD5 checksum:   617530 cbf6b0a9ef2f301dc59a0769e801be13
          Size/MD5 checksum:   712770 91e0fce43423f80bd88e6578e161ea6a
          Size/MD5 checksum:   694394 97ae10670e4f0fe04ccfb61effaadba1
          Size/MD5 checksum:  1292980 3ab48b33724395b5dc647928e1cbe307
      ARM architecture:
          Size/MD5 checksum:   371882 057479ece77bd2fa7852397d0a6e9747
          Size/MD5 checksum:   494742 93b09582be5f56755c0e214e0a68d534
          Size/MD5 checksum:   652346 fc06fdf3679e7282fb0f0a9319589604
          Size/MD5 checksum:   625852 7171107322617498e3e153aae73ba21f
          Size/MD5 checksum:  1076126 96ce32ae8083cce65c508f320a238c29
      Intel IA-32 architecture:
          Size/MD5 checksum:   361032 ac76b9d6c6fd1077a3a45f948f099e96
          Size/MD5 checksum:   461052 cb86db223af4f7a46801b44fd83a1a3d
          Size/MD5 checksum:   597540 eacc0fd36d2d564cdb086542e05edb25
          Size/MD5 checksum:   582018 b012d4f2cf0778f5156e27062cc01436
          Size/MD5 checksum:   990122 89904ac6614f385d319cecc599501e3e
      Intel IA-64 architecture:
          Size/MD5 checksum:   484866 ebc82ed226f7529b076224645af18485
          Size/MD5 checksum:   753408 53354e05af67a4297c056545855e20fc
          Size/MD5 checksum:   919602 f3c837dc49eaf6c2e39dd2292d851142
          Size/MD5 checksum:   888678 1a01c7e9bbb8341e7c3b3741bd86d3aa
          Size/MD5 checksum:  1600476 8f19c0af9708e53c6532645e4c886ef1
      HP Precision architecture:
          Size/MD5 checksum:   404392 9835e7434e1948ef9c2250f079993715
          Size/MD5 checksum:   567200 5db5b1b5b3f7aa14f4a8d12863c156f1
          Size/MD5 checksum:   756828 2f6dad96f5f72a162552fbbc910f0a9b
          Size/MD5 checksum:   733924 e1b0b805d489f0315aeda262bcff2e9e
          Size/MD5 checksum:  1211938 cc1f5afd4421b45f89fe9e845645ad69
      Motorola 680x0 architecture:
          Size/MD5 checksum:   357180 d7907f7aa2b5004e99b30ad8f61d304a
          Size/MD5 checksum:   432586 e97d5d0aaa7add1be1131db274e80520
          Size/MD5 checksum:   580528 f285c81661ec9c306f28cec5a2018f22
          Size/MD5 checksum:   572374 0bed8e2be0fabc5d25c3868c9b374a2f
          Size/MD5 checksum:   932280 2b2edee95d27b9e72f6c4087b0e92b9f
      Big endian MIPS architecture:
          Size/MD5 checksum:   363314 db293eaf7b775ed38ebf3642a1fad145
          Size/MD5 checksum:   509394 13cb1c6fb08b570eeb2ca9fb5b81c20e
          Size/MD5 checksum:   614724 432bfb1730842f7a858e9336af0436b6
          Size/MD5 checksum:   606654 b19a832117357ca211e9cfbeabc8153c
          Size/MD5 checksum:  1095146 c28c09e8f6f7c06d456071d055430eac
      Little endian MIPS architecture:
          Size/MD5 checksum:   362218 dc30c2f819623b5340a00e920f10f790
          Size/MD5 checksum:   507712 a5f46c32f5da4bd0d6578cb387948094
          Size/MD5 checksum:   609260 5eec777e950f7dc7bfe0042367e4109f
          Size/MD5 checksum:   602190 be8c7a63af072069984092434778b63a
          Size/MD5 checksum:  1089242 7b160f6ea1df6567c66914e466c0c3a2
      PowerPC architecture:
          Size/MD5 checksum:   376530 6192fa01d1af74c451b9aaf3470ff857
          Size/MD5 checksum:   496076 1391775799a9cc8f09ea255f75310d0e
          Size/MD5 checksum:   652486 6e5dc8f02eee61bee99427a4f1bd014e
          Size/MD5 checksum:   637170 47de6b9690e3f19736e61643b32d1208
          Size/MD5 checksum:  1070680 7621d9244328daad7bd9f7d6a9060076
      IBM S/390 architecture:
          Size/MD5 checksum:   371208 a86144204858b5af173a234428e28b44
          Size/MD5 checksum:   466596 1754b68279b062b4672c1f1ea967dec9
          Size/MD5 checksum:   630600 3314fd48a26554070d683531509fa805
          Size/MD5 checksum:   622616 763bdd50ed1f48194fca4e40d69c0cb9
          Size/MD5 checksum:  1000670 ae235537507a7cae42055c66e0dbab72
      Sun Sparc architecture:
          Size/MD5 checksum:   374664 30080342e0bac88b49f08d41a4454d29
          Size/MD5 checksum:   489124 f50f94c018b0f3b59684edf7fdb1becc
          Size/MD5 checksum:   629056 1504b0dfe0bbfe5d2da939d4c7cdcd18
          Size/MD5 checksum:   614222 0c5cc999484624f6be5caadfee833490
          Size/MD5 checksum:  1032494 b7fae376a617c97dc95724f16ce4b82c
      Please note that the source packages mentioned above produce more
      binary packages than the ones listed above.  They are not relevant
      for the fixed problems, though.
      These files will probably be moved into the stable distribution on
      its next revision.
    - ---------------------------------------------------------------------------------
    For apt-get: deb stable/updates main
    For dpkg-ftp: dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and


    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.