The developers of PHP have released details regarding a vulnerability with
all versions of PHP prior to their current development stream 4.2.0-dev.
Details of this vulnerability may be seen at
http://security.e-matters.de/advisories/012002.html
or
http://lwn.net/daily/php-upload.php3
The version of PHP shipped with Mitel's SME Server product is subject
to this vulnerability. Both the ServiceLink enabled and free download
versions of Mitel's SME Server product are vulnerable.
There are currently no vendor patches that fix the vulnerability. The
original patch supplied by the PHP developers still contains significant
flaws.
As a work around, Mitel is advising its customers to disable PHP uploads
by performing the following actions:
Mitel SME Server 5.x, e-smith Server & Gateway 4.1.2
(1) login to the SME Server as the root user
Please see our "Frequently asked questions" item for details
on how to login to the SME Server console
http://www.e-smith.org/faq.php3#8q3
If you don't have local access to your SME Server, please
see our "Frequently asked questions" item for details on
how to remotely login to your SME Server
http://www.e-smith.org/faq.php3#8q2
(2) make a copy of the PHP initialisation file /etc/php.ini
(3) edit the /etc/php.ini file to disable file uploads
/etc/php.ini contains a line of the form
file_uploads = On ; Whether to allow HTTP file uploads
This line should be changed to read
file_uploads = Off
(4) restart the Apache web server
Some sample code to perform steps (2), (3) and (4) is included
at the end of this advisory.
e-smith Server & Gateway prior to 4.1.2
- these versions are no longer supported. Mitel recommends that you
upgrade to SME Server 5.1.2 and then apply the work around
discussed above.
Applying this work around will disable the listed vulnerabilities,
however it may have some impact on the operability of your SME Server:
- webmail users will no longer be able to add attachments to
messages they send via the IMP web based mail interface
- any other PHP programs you are currently running that require file
uploads will not accept the file uploads. Note that Mitel does
not ship any such programs with the products listed above.
Mitel will be reviewing the situation and will be providing more details
as they come to hand.
Regards
The Mitel SME Server Security Team
---------------------------------------------------------------------------
Sample code you may use to apply the work around
/usr/bin/perl -i.old -pe 's/(file_uploads\s*=\s*)On/$1Off/' /etc/php.ini
/etc/e-smith/events/actions/restart-httpd-full
---------------------------------------------------------------------------
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
