On Wednesday 01 December 2004 at 10:42, Evelio Mart�nez wrote: > > Hello! > > We have a server with Debian Woody > I have passed the Retina vulnerability scanner in our LAN and it has > detected several ones. > The php version we have is 4.1.2-7.0.1 > > I know this question has 2 facet. One for people in Retina software and the > other to people that use Debian. > > 1) I would like to know if the scanner gives positive when it sees the > version or > the program makes a real test to see if the vulnerability exists?? > > Do I have to upgrade PHP from sources? > > Has anyone have a similar doubt? > > Vulnerability explanation: > Among them The PHP Group has released a new PHP version, 4.2.2 > > PHP contains code for intelligently parsing the headers of HTTP POST > requests. > The code is used to differentiate between variables and files sent > by the user agent in a "multipart/form-data" request. > This parser has insufficient input checking, leading to the > vulnerability. > > The vulnerability is exploitable by anyone who can send HTTP POST > requests to an affected web server. Both local and remote users, even > from behind firewalls, may be able to gain privileged access. > > 2) Another vulnerabilty has to do with Apache (1.3.26-0woo) > > Apache httpd scoreboard modification vulnerability > > Versions of Apache 1.3.x prior to 1.3.27 allow a user running as the Apache > UID (for instance, through web server exploitation, or the invocation or > exploitation of a PHP or Perl script) to modify the httpd daemon's > scoreboard in shared memory. An attacker can exploit this vulnerability to > cause SIGUSR1 signals to be sent to arbitrary processes as root, possibly > leading to a denial of service condition or other improper behavior.
Hi, The debian policy using upstream patches to fix current version of the packages makes php for example having the banner 4.1.2-7.0.1 The scanner sees that version and deduct that you are vulnerable to a security flaw since this flaw is supposed to be present in all versions lower than 4.2.2. This is a common source of false positives. Same for Apache vulnerability. Regards, Xavier. -- Xavier Sudre Homepage: http://xavier.sudre.fr/ Email: [EMAIL PROTECTED] GPG key: http://xavier.sudre.fr/gpg/xavier.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
