Red Hat Security Advisory: Piranha web GUI exposure Apr 24, 2000, 21:11 UTC (0 Talkbacks) (Other stories by Cristian Gafton) Date: Mon, 24 Apr 2000 16:33:32 -0400 (EDT) From: Cristian Gafton [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SECURITY: [RHSA-2000:014-10] Updated piranha packages available Red Hat, Inc. Security Advisory Synopsis: Piranha web GUI exposure Advisory ID: RHSA-2000:014-10 Issue date: 2000-04-18 Updated on: 2000-04-24 Product: Red Hat Linux Keywords: piranha remote CGI command Cross references: php 1. Topic: The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may lead to remote compromise of the server, as well as exposure or defacement of the website. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 alpha sparc 3. Problem description: Piranha when it is installed generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be released with a blank password. In fact the password that is actually on the CD is either 'q' or 'piranha'. It was intended that when the administrator loaded the piranha package onto their box, that it was their resonsibility to change that password. This is not a hidden account. It is meerly used to protect the web pages from unauthorized access. The security problem arises from the /home/httpd/html/piranha/secure/passwd.php3 file from which it is possible to execute commands by inserting them into the change password option eg entering 'blah;/bin/command to execute' into the field, and again to verify, everything after the semicolon is executed with the same privilege as the webserver. It is possible at this point to compromise the webserver or do serious damage to the site. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. Temporarily, you should set a password on the web pages as should be done when you first install the package for the sake of speed you can issue the following command htpasswd -c -b /home/httpd/html/piranha/secure/passwords piranha 'password of choice' In theory, this means only you have access to that area and you are hardly likely to try and exploit the problem yourself. When you install the update for the piranha-gui, please take a moment to login into the gui frontend and set a password on the account ( http://localhost/piranha) 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): N/A 6. Obsoleted by: N/A 7. Conflicts with: N/A 8. RPMs required: Red Hat Linux 6.2: intel: ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1.i386.rpm ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.13-1.i386.rpm ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm alpha: ftp://updates.redhat.com/6.2/alpha/piranha-0.4.13-1.alpha.rpm ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.13-1.alpha.rpm ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.13-1.alpha.rpm sparc: ftp://updates.redhat.com/6.2/sparc/piranha-0.4.13-1.sparc.rpm ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.13-1.sparc.rpm ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.13-1.sparc.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.13-1.src.rpm 9. Verification: MD5 sum Package Name ece87b0ed6f01a87b954b980c115aec0 6.2/SRPMS/piranha-0.4.13-1.src.rpm 985ff7d09172f4bfcc17c8044bee7fe8 6.2/alpha/piranha-0.4.13-1.alpha.rpm 9804348b4dc73ab82a7624c404afb930 6.2/alpha/piranha-docs-0.4.13-1.alpha.rpm c1e536a9d14422115a89d2d56bf93926 6.2/alpha/piranha-gui-0.4.13-1.alpha.rpm f2db6f165f21f93e9b724a94cd3fc595 6.2/i386/piranha-0.4.13-1.i386.rpm bd54eb595f2a535e52486e799715ce00 6.2/i386/piranha-docs-0.4.13-1.i386.rpm ad9fb552616a221db26b92b668211a30 6.2/i386/piranha-gui-0.4.13-1.i386.rpm b9cb5cddd6e0cd99fc47eb56a06319a0 6.2/sparc/piranha-0.4.13-1.sparc.rpm 98313aa873dffe9c0520e3ad4862f2f5 6.2/sparc/piranha-docs-0.4.13-1.sparc.rpm 06cdba77a7f128e48a7c3d15c0cf9bcc 6.2/sparc/piranha-gui-0.4.13-1.sparc.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 10. References: This vulnerability was discovered and researched by Allen Wilson and Dan Ingevaldson of Internet Security Systems. Red Hat would like to thank ISS for the assistance in getting this problem fixed quickly. Cristian -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
