|
Note: This is an archival copy of Security Sun Alert 200823 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000622.1. |
Category Security Release Phase Resolved 15959 Date of Workaround Release 28-AUG-2002 Date of Resolved Release 06-MAY-2003 Impact A local or remote unprivileged user may be able to execute arbitrary code on Sun Cobalt systems due to a vulnerability in PHP SafeMode with the privileges of the HTTP process. The HTTP process normally runs as the unprivileged uid 'nobody' (uid 60001). In order for a remote unprivileged user to exploit this issue, the existing PHP pages must use a variable as the fifth parameter in the mail() command. The ability to execute arbitrary code as the unprivileged uid 'nobody' may lead to modified Web content, denial of service, or further compromise. Please see the Common Vulnerabilities and Exposures project at http://cve.mitre.org and reference CAN-2001-1246 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1246. An additional reference is http://www.iss.net/security_center/static/6787.php.
Contributing Factors This issue can occur in the following releases: 2800 Workgroup NTT/KOBE(2800WGJ-KOBE)
RaQ4 no raid(3001R)
RaQ4 RAID(3100R)
RaQ4 Japanese RAID(3100R-ja)
RaQ XTR(3500R)
RaQ XTR Japanese(3500R-ja)
Qube3(4000WG)
Qube 3 Japanese(4000WGJ)
Qube3 w/ Caching(4010WG)
Qube3 Japanese w/ Caching(4010WGJ)
Control Station Production(4100CS)
RaQ 550 (4100R)
Qube3 w/ Caching and RAID(4100WG)
Qube3 Japanese w/ Caching and RAID(4100WGJ)
Sun LX50 (Sun Linux 5.0)
Notes: PHP is an HTML-embedded scripting language commonly used with Apache. PHP versions 4.0.5 through 4.1.0 in safe mode do not properly cleanse the 5th parameter to the mail() function. This vulnerability allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.
Symptoms Unusual entries in the web server logs could indicate that someone is attempting to gain entry through this issue. Any abnormal and/or unauthorized system activity, including, but not limited to, defaced web pages, unknown user accounts appearing on the system, and abnormal network traffic or listening TCP/UDP ports.
Workaround Until fixes for these vulnerabilities can be applied, disable all applications (as mentioned above in Contributing Factors) that use vulnerable implementations of PHP. Resolution This issue is addressed in the following releases: Cobalt platform
Instructions for downloading Cobalt Patches can be found in For RaQ 4: Qube 3: RaQ 550: RaQ XTR:
Sun LX50 (Sun Linux 5.0): Modification History 06-MAY-2003: Updated Resolution section. Resolved. Attachments This solution has no attachment | |||||||||||||||
|
|