Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-2000502-1
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Tue May 02 2000 - 21:40:48 MDT
Yellow Dog Linux Security Announcement
--------------------------------------
Package: piranha
Issue Date: May 02, 2000
Update Date: May 02, 2000
Priority: high
Advisory ID: YDU-2000502-1
1. Topic:
The GUI portion of Red Hat's Piranha software may allow
any remote attacker to execute commands on the server. This
may allow a remote attacker to launch additional exploits
against a web site from inside the web server.
2. Problem:
The following information is from Red Hat's errata page:
When Piranha is installed, it generates a 'secure' web
interface ID using the HTML .htaccess method. The
information for the account is placed in
/home/httpd/html/piranha/secure/passwords which was
supposed to be released with a blank password. Unfortunately,
the password that is actually on the CD is 'Q'.
The original intent was that, when the administrator
installed Piranha rpms onto their box, that they would
change the default blank password to a password of their
own choosing.
This is not a hidden account. Its only use is to protect
the web pages from unauthorized access.
The security problem arises from the
http://localhost/piranha/secure/passwd.php3 file. It is
possible to execute commands by entering 'blah;some-command'
into the password fields. Everything after the semicolon is
executed with the same privilege as the webserver.
Because of this, it is possible to compromise the webserver
or do serious damage to files on the site that are owned by
the user 'nobody' or to export a shell using xterm.
This update, piranha-0.4.14-1 disables the piranha web interface
by default. The site administrator will need to enable the service
manually as described by the main page of the piranha utility.
Users that are not actively using Piranha on their system are
urged to remove the piranha-gui package from their system using
the following command.
rpm -e piranha-gui
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command will
automatically retrieve and install the fixed version of
man onto your system:
yup update piranha
yup update piranha-docs
yup update piranha-gui
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
piranha-0.4.14-1.ppc.rpm
piranha-docs-0.4.14-1.ppc.rpm
piranha-gui-0.4.14-1.ppc.rpm
rpm -Fvh piranha-0.4.14-1.ppc.rpm
rpm -Fvh piranha-docs-0.4.14-1.ppc.rpm
rpm -Fvh piranha-gui-0.4.14-1.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
dbeef5c36b6ed6898978da30475bb395 RPMS/piranha-0.4.14-1.ppc.rpm
b45486eafcfe87c7f40977d991f3e2e7 RPMS/piranha-docs-0.4.14-1.ppc.rpm
f29c0e0545034428b52ae80817d90b67 RPMS/piranha-gui-0.4.14-1.ppc.rpm
a8f97a9de5fe7561dd576a913201e267 SRPMS/piranha-0.4.14-1.src.rpm
All updates are signed by Terra Soft Solutions, Inc.
with our GPG key which is available at:
http://www.yellowdoglinux.com/resources/public_key.shtml
You can verify each package with the following command: rpm --checksig filename
If you only wish to verify that each package has not been corrupted or tampered with,
examine only the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml
This archive was generated by hypermail 2a24 : Tue May 02 2000 - 21:41:22 MDT