linux, säkerhet

74874 2002-09-09  18:00  /172 rader/  <Allen.Wilson@guardent.com>
Importerad: 2002-09-09  18:00  av Brevbäraren
Extern mottagare: bugtraq@lists.securityfocus.com
Mottagare: Bugtraq (import) <1417>
Ärende: Guardent Client Advisory: Multiple wordtrans-web Vulnerabilities
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----

Guardent Client Advisory
Multiple wordtrans-web Vulnerabilities

September 6th, 2002

Summary:

Guardent has discovered vulnerabilities in the wordtrans-web package.
The vulnerabilities allow for remote execution of arbitrary code
under the privileges of user running the webserver and a cross-site
scripting vulnerability.


Scope:

Guardent has verified that all versions prior to and including the
current development version of wordtrans-1.1pre9 are vulnerable.

The current distribution of Red Hat Linux 7.3 is vulnerable.  Earlier
versions of Red Hat Linux do not contain the vulnerable package.

The Debian wordtrans-web package version 1.0beta-2-2.4 in unstable is
vulnerable.  Note that this package is not present in the stable
release, Debian 3.0 (woody).


Description:

The wordtrans-web package provides an interface to query multilingual
dictionaries via a web browser.  Improper input validation allows for
the execution of arbitrary code or injection of cross-site scripting
code by passing in unexpected parameters to the wordtrans.php script.
The wordtrans.php script in turn executes the "wordtrans" binary
unsafely with the unexpected parameters.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0837 to this issue.


Detection:

Red Hat Linux administrators are encouraged to verify the presence and
version of their wordtrans-web package using the
command:
     rpm -qi wordtrans-web

Guardent has provided the following snort signature to assist users in
detecting accesses of the vulnerable wordtrans-web component.

alert tcp $EXTERNAL_NET any -> $WEB_SERVERS 80 (msg:"WEB-MISC
wordtrans-web access"; flags:A+; uricontent:"/wordtrans.php"; nocase;
classtype:attempted-recon; sid:1082322; rev:1;)

Clients of Guardent's Security Defense Appliance for Managed
Intrusion Detection Security Services are already being monitored for
abuses of this vulnerability.


Recommendations:

Users of the Red Hat Network can update their systems using the
'up2date' tool.

Users of Debian can download the fixed wordtrans-web package version
1.0beta2-2.5 from http://packages.debian.org/wordtrans-web

Guardent has provided the following workarounds for popular versions
of the wordtrans-web package.  These workarounds are not meant to be
a substitute for recommended vendor packages.

The following patch is for version wordtrans-1.1pre8.php:

*** wordtrans-1.1pre8.php.old
- --- wordtrans-1.1pre8.php
***************
*** 15,20 ****
- --- 15,21 ----
  <head>
  <title>
  <?
+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
  if ($word == "") {
        if ($lang == "es")
                echo "Interfaz Web de Wordtrans";

The following patch is for version wordtrans-1.1pre9.php:

*** wordtrans-1.1pre9.php.old
- --- wordtrans-1.1pre9.php
***************
*** 20,25 ****
- --- 20,26 ----
  <head>
  <title>
  <?
+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
  if ($word == "") {
        if ($lang == "es")
                echo "Interfaz Web de Wordtrans";

References:

Guardent Client Advisory - Multiple wordtrans-web Vulnerabilities
     http://www.guardent.com/comp_news_advisories.html

Red Hat Errata RHSA-2002-188
     http://rhn.redhat.com/errata/RHSA-2002-188.html

Debian wordtrans-web package
     http://packages.debian.org/wordtrans-web

The Common Vulnerability and Exposures project - CAN-2002-0837
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0837


Credits:

This vulnerability was discovered and researched by Allen Wilson of
Guardent, Inc.  Guardent would like to thank Mark J. Cox and the
entire Red Hat Security Response Team as well as Matt Zimmerman of
Debian GNU/Linux for their response and handling of this
vulnerability.

About Guardent:

Guardent provides security and privacy programs for Global 2000
organizations.  Integrating consulting and managed services, Guardent
helps financial services, life sciences, manufacturing, government
and technology clients achieve their business objectives through the
use of appropriate security and privacy measures.  Guardent can
assist your organization with Vulnerability Assessment Services,
Managed Intrusion Detection and Firewall Services.  Guardent can also
provide assistance in developing an Incident Response Plan.

For clients requiring support for these issues, please contact the
Guardent Operations Center at (888) 456-3210 ext. 4 or by e-mailing
clientcare@guardent.com.

All media inquiries should be directed to:

Dan McCall
(617) 577-6500
dan.mccall@guardent.com

(C) Copyright 2002 Guardent, Inc.

Permission is hereby granted for the electronic redistribution of
this document. It is not to be edited or altered in any way without
the express written consent of Guardent, Inc.

Disclaimer: The information within this document may change without
notice.  Guardent will keep an updated version of this advisory on
its web site at www.guardent.com for a limited period of time.  Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard
to this information or its use.  ANY USE OF THIS INFORMATION IS AT
THE USER'S RISK.  In no event shall Guardent be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90-nr1

iQCVAwUBPXisNsH4ptnoIp0ZAQGJNAP+JwRLdinpC0TZh4PSvHlvPP9IN/ROdnwZ
+tIen40I0KcNKMOiOu1bYz8PZPz/HfvJB6vXaZZJIxuXraTYZz/LCngVqH1qzB7K
K/gn/F2fyDVTNPkUoYOlh0WaWdjv/acQV1X9SjCK1Jvx5EcKRRhgdBY49HF1ACpl
J7a9Eqplfrc=
=V2yJ
-----END PGP SIGNATURE-----
(74874) / <Allen.Wilson@guardent.com>/----(Ombruten)