On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsTrouble with Apache SQL authentication modules. The Apache web server supports several modules which can perform user authentication from a relational database. They are certainly widely used; a site does not have to grow very large before the classic htpasswd mechanism becomes unusable. So this advisory pointing out "SQL insertion" vulnerabilities in several of these modules is worthy of some concern.
SQL insertion happens when a hostile user, through a clever request to the web server, is able to pass arbitrary SQL code through to the underlying database. This code can disclose or modify data, or corrupt the integrity of the database in a number of ways; it can also, usually, be used to allow unauthorized access to the web site.
This type of vulnerability comes about as a result of the combination of inadequate checking of user-supplied data and the passing of that data across module boundaries. It is an easy sort of mistake to make, and it is certain that numerous other, database-driven web applications have similar vulnerabilities.
Fixing this sort of problem is relatively easy, once the programmer thinks of it. A "white list" of allowed characters filters out most such attacks without trouble. But, when passing user strings between modules, filtering in one module can require a knowledge of what strings can cause problems in the other. This kind of knowledge goes against the information hiding techniques that are usually seen as good, modular programming. As a result, programmers can be surprised, even if they are thinking about properly sanitizing user-supplied data.
As applications become more component driven, the chances are that this sort of cross-module interaction will be seen more often. Security is hard, and it's not getting any easier.
The X.C worm is apparently loose. This work takes advantage of the buffer overrun vulnerability in telnetd (see updates, below) to infect new systems. So far, this worm does not appear to have caused a lot of problems; many systems are no longer running telnet services, and, hopefully, most of those that still do have applied the updates. Nonetheless, for those who are concerned, a X.C discovery and removal tool has been made available by William Stearns.
A security audit of xinetd. Solar Designer has performed an extensive audit of xinetd looking for certain types of security vulnerabilities. So many problems were found in the code that the resulting patch weighed in at over 100KB. This patch was only fully merged as of xinetd 2.3.3.
The patched xinetd will certainly be safer, but Solar Designer's disclaimer is worth noting:
To summarize the results, xinetd may be reasonably safe to use with these patches, but the code remains far from clean and certain bugs are there by design.
Distributor updates seen so far include:
Fun with Bugzilla Users of the Bugzilla bug tracking system should upgrade to the new 2.14 release, which fixes several security holes. The worst of these vulnerabilities could lead to the disclosure of "confidential" bugs, or the compromise of the Bugzilla server as a whole.
A new lpr vulnerability. A new buffer overrun vulnerability in lpr has been reported. This time around, an attacker crafts a special, incomplete print job; a subsequent request to view the printer queue causes the overrun to happen. The advisory only mentions BSD systems, but numerous Linux distributions run BSD lpr as well. Stay tuned for updates...
An HTML injection vulnerability with gnut. The "gnut" Gnutella client is vulnerable to the injection of arbitrary HTML (including scripts) if a hostile user shares a file with HTML tags embedded in its name. This bug is compounded by the fact that gnut, apparently, loads a lot of files from the local drive; browsers impose fewer security restrictions in this situation. Upgrade to gnut 0.4.27 for a fix.
POP3Lite message processing vulnerability. The POP3Lite POP server fails to escape leading dots in mail messages, opening it up to denial of service attacks and the creation of untraceable forged messages. Upgrading to version 0.2.4 fixes the problem.
SuSE updates screen. SuSE has issued a security update to screen fixing a local
root exploit vulnerability in that package. It seems that, if screen is
installed setuid root, a clever user can engage in some /tmp
trickery to get root privileges. SuSE's fix deals with the problem in the
code, and also removes the setuid bit. That, in turn, reduces the
functionality of screen slightly; see the advisory for information on
whether you might need to restore the setuid bit after applying the
web scripts.The following web scripts were reported to contain vulnerabilities:
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
Buffer overrun vulnerabilities in fetchmail. (Found by Salvatore Sanfilippo). Two buffer overrun vulnerabilities exist in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. See the August 16 Security page for the initial report.
Previous updates:Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report.
This week's updates:
Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
This week's updates:
Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page.
ResourcesThe LinuxSecurity.com Weekly Newsletter for September 3 is available.
EventsComputer Security Mexico will be held November 24 to 30 in Mexico City. The call for papers has been issued; with submissions being due by October 12.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Jonathan Corbet
September 6, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily