Updated versions of the Apache HTTP server, PHP, and mod_ssl are now
available which close possible buffer overflows in the Apache HTTP server
benchmarking tool, fix two cross-site scripting vulnerabilities in the
error pages, and fix possible local privilege escalation. These updates
also fix vulnerabilities in the PHP mail() function that allows script
authors to bypass safe mode restrictions, and possibly allow remote
attackers to insert arbitrary mail headers and content into messages.
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server. PHP is an HTML-embedded scripting language
commonly used with the Apache HTTP server.
Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27 allow a malicious Web server to cause a denial of
service and possibly execute arbitrary code via a long response. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-0843 to this issue.
Two cross-site scripting vulnerabilities are present in the error pages
for the default "404 Not Found" error, and for the error response when a
plain HTTP request is received on an SSL port. Both of these issues are
only exploitable if the "UseCanonicalName" setting has been changed to
"Off", and wildcard DNS is in use. These issues would allow remote
attackers to execute scripts as other Web page visitors, for instance, to
steal cookies. These issues affect Apache versions 1.3 to 1.3.26,
and mod_ssl versions before 2.8.12. The Common Vulnerabilities and
Exposures project has assigned the names CAN-2002-0840 and
CAN-2002-1157 to these issues.
The shared memory scoreboard in the HTTP daemon for Apache 1.3.x, prior to
version 1.3.27 allowed a user running as the web server user to send a
SIGUSR1 signal to any process as root, resulting in a denial of service
(process kill) or other such behavior that would not normally be allowed.
The Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-839 to this issue.
The mail function in PHP 4.x to 4.2.2 may allow local script authors to
bypass safe mode restrictions and modify command line arguments to the
MTA (such as Sendmail) in the fifth argument to mail(), altering MTA
behavior and possibly executing arbitrary local commands. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2002-0985
to this issue.
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
characters from its arguments, which could allow remote attackers to
modify mail message content, including mail headers, and possibly use
PHP as a "spam proxy". The Common Vulnerabilities and Exposures project has
assigned the name CAN-2002-0986 to this issue.
Stronghold 4 contains Apache 1.3.22, mod_ssl 2.8.7, and PHP 4.1.2, and
is therefore vulnerable to these issues. Users of Stronghold are advised to
patch or upgrade their servers.
We have backported the security fixes for the versions of OpenSSL
and mm included in Stronghold 4. The fixed packages are now available via
the update agent service; run
$ bin/agent
from the Stronghold 4 install root to upgrade an existing Stronghold 4
installation to the new package versions. After upgrading Stronghold, the
server must be completely restarted by running the following commands from
the install root:
$ bin/stop-server
$ bin/start-server
For more information on how to upgrade between releases of Stronghold 4,
see
http://stronghold.redhat.com/support/upgrade-sh4
apache, mod_ssl, php security update for Stronghold