PostNuke
Flexible Content Management System
News
Postnuke & Group permissions
Footnote: 1
PHP 4.2.0, 4.2.1 Remote Vulnerability
Application: PHP 4.2.0, 4.2.1
Severity: A vulnerability within the multipart/form-data handler could allow remote compromise of the web server.
Risk: Critical
Vendor Status: Patches Released.
Reference: http://security.e-matters.de/advisories/022002.html
Overview:
We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.
Details:
PHP 4.2.0 introduced a completely rewritten multipart/form-data POST handler. While I was working on the code in my role as PHP developer. I found a bug within the way the mime headers are processed. A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninitialised struct gets appended to the linked list of mime headers. When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls.
On the IA32 architecture (aka. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them. Unfortunately the situation is absolutely different if you look on a solaris sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non IA32 architectures. Please note that exploitability is not only limited to systems that are running malloc()/free() implementations that are known to be vulnerable to control structure overwrites. This is because the internal PHP memory managment implements its own linked list system that can be used to overwrite nearly arbitrary memory addresses.
Proof of Concept:
e-matters is not going to release the exploit for this vulnerability to the public.
Vendor Response:
22th July 2002 - An updated version of PHP which fixes this vulnerability was released and can be downloaded at:
http://www.php.net/downloads.php
The vendor announcement is available at:
http://www.php.net/release_4_2_2.php
Recommendation:
If you are running PHP 4.2.x you should upgrade as soon as possible, especially if your server runs on a non IA32 CPU. If you cannot upgrade for whatever reason the only way to workaround this, is to disable all kinds of POST requests on your server.
GPG-Key:
http://security.e-matters.de/gpg_key.asc
pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6
Copyright 2002 Stefan Esser. All rights reserved.
Severity: A vulnerability within the multipart/form-data handler could allow remote compromise of the web server.
Risk: Critical
Vendor Status: Patches Released.
Reference: http://security.e-matters.de/advisories/022002.html
Overview:
We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.
Details:
PHP 4.2.0 introduced a completely rewritten multipart/form-data POST handler. While I was working on the code in my role as PHP developer. I found a bug within the way the mime headers are processed. A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninitialised struct gets appended to the linked list of mime headers. When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls.
On the IA32 architecture (aka. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them. Unfortunately the situation is absolutely different if you look on a solaris sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non IA32 architectures. Please note that exploitability is not only limited to systems that are running malloc()/free() implementations that are known to be vulnerable to control structure overwrites. This is because the internal PHP memory managment implements its own linked list system that can be used to overwrite nearly arbitrary memory addresses.
Proof of Concept:
e-matters is not going to release the exploit for this vulnerability to the public.
Vendor Response:
22th July 2002 - An updated version of PHP which fixes this vulnerability was released and can be downloaded at:
http://www.php.net/downloads.php
The vendor announcement is available at:
http://www.php.net/release_4_2_2.php
Recommendation:
If you are running PHP 4.2.x you should upgrade as soon as possible, especially if your server runs on a non IA32 CPU. If you cannot upgrade for whatever reason the only way to workaround this, is to disable all kinds of POST requests on your server.
GPG-Key:
http://security.e-matters.de/gpg_key.asc
pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6
Copyright 2002 Stefan Esser. All rights reserved.
HackerGourmet has been Nuked!
Footnote: 1
Mahalo PostNuke
<a href=http://soccer.org><font color=f0000>A</font><font color=0000FF>Y</font><font color=ff0000>S</font><font color=0000ff>O</font> by the way has over 650,00 kids 200,000+ volunteers and 1,2000+ regions from Hawaii to Florida to New York, Paraguay, Guam, American Samoa, Bahamas, Jamaica and Moscow Russia.
Im looking forward to working with version 7. now that the Tournament is over and wondering if anyone is interested in working to develop modules to be used for youth sports sites. I had numerous inquerys about PostNuke and how it could be use for their region website.
Mahalo nui loa!
billT <a href=http://nationalgameshawaii.org>NationalGamesHawaii.org
Im looking forward to working with version 7. now that the Tournament is over and wondering if anyone is interested in working to develop modules to be used for youth sports sites. I had numerous inquerys about PostNuke and how it could be use for their region website.
Mahalo nui loa!
billT <a href=http://nationalgameshawaii.org>NationalGamesHawaii.org
Footnote: 1
Hosting Service for PostNuke sites
http://blockhouse.zzine.org/
e.g our blue package:
Bluehouse Hosting Package - $16.95/mo (12 months only $14.95/mo!)
For beginner webmasters who powerful set of tools to develop with!
100 MB's Storage
10 GB's Transfer
Online Control Panel
Unlimited E-mail Accounts
3 Virtual FTP Accounts
Unlimited MySQL Databases
Unlimited E-mail Aliases
Unlimited Auto Responders
Unlimited E-mail Blockers
Unlimited Mailing Lists
Password Protected Directories
FrontPage 2002 Support
Powerful Shopping Cart
Unlimited Discussion Forums
Full CGI Access
WebMail System
Complete PHP4 Support
Detailed Web Site Statistics
Redundant Nightly Backups
SSH Secure Shell/Telnet Access
Pre-Configured Java/CGI
Perl 5, TCL, C++, Python, Java
Static IP address
Access to Raw Domains Logs
Free Search Engine Submissions
Free Real Audio and Video Support
99.9% Uptime Guarantee
You can apply on our page if you're interested...
cheers,
CHi
e.g our blue package:
Bluehouse Hosting Package - $16.95/mo (12 months only $14.95/mo!)
For beginner webmasters who powerful set of tools to develop with!
100 MB's Storage
10 GB's Transfer
Online Control Panel
Unlimited E-mail Accounts
3 Virtual FTP Accounts
Unlimited MySQL Databases
Unlimited E-mail Aliases
Unlimited Auto Responders
Unlimited E-mail Blockers
Unlimited Mailing Lists
Password Protected Directories
FrontPage 2002 Support
Powerful Shopping Cart
Unlimited Discussion Forums
Full CGI Access
WebMail System
Complete PHP4 Support
Detailed Web Site Statistics
Redundant Nightly Backups
SSH Secure Shell/Telnet Access
Pre-Configured Java/CGI
Perl 5, TCL, C++, Python, Java
Static IP address
Access to Raw Domains Logs
Free Search Engine Submissions
Free Real Audio and Video Support
99.9% Uptime Guarantee
You can apply on our page if you're interested...
cheers,
CHi
Footnote: 1
Permissions Help (needed)
Admins .* .* Admin Edit | Delete
Moderators Stories:: .* Admin Edit | Delete
Moderators PostCalendar:: .* Admin Edit | Delete
Moderators Menublock:: Main Menu:Administration Read Edit | Delete
Board of Directors Stories:: :Board of Directors: Read Edit | Delete
Board of Directors Stories:: :Members: Read Edit | Delete
Members Stories:: :Members: Read Edit | Delete
Members Categoryblock:: Categories Menu:: None Edit | Delete
Users Stories:: :Board of Directors: None Edit | Delete
Users Stories:: :Members: None Edit | Delete
Users .* .* Comment Edit | Delete
Unregistered Menublock:: Main Menu:(My Account|Logout|Submit News): Read Edit | Delete
Unregistered Loginblock:: .* Read Edit | Delete
Unregistered Stories:: :General: Read Edit | Delete
Unregistered Stories:: :Board of Directors: None Edit | Delete
Unregistered Stories:: :Members: None Edit | Delete
All groups Menublock:: Main Menu:Administration: None Edit | Delete
Unregistered Categoryblock:: Categories Menu:: None Edit | Delete
Unregistered .* .* Read
Moderators Stories:: .* Admin Edit | Delete
Moderators PostCalendar:: .* Admin Edit | Delete
Moderators Menublock:: Main Menu:Administration Read Edit | Delete
Board of Directors Stories:: :Board of Directors: Read Edit | Delete
Board of Directors Stories:: :Members: Read Edit | Delete
Members Stories:: :Members: Read Edit | Delete
Members Categoryblock:: Categories Menu:: None Edit | Delete
Users Stories:: :Board of Directors: None Edit | Delete
Users Stories:: :Members: None Edit | Delete
Users .* .* Comment Edit | Delete
Unregistered Menublock:: Main Menu:(My Account|Logout|Submit News): Read Edit | Delete
Unregistered Loginblock:: .* Read Edit | Delete
Unregistered Stories:: :General: Read Edit | Delete
Unregistered Stories:: :Board of Directors: None Edit | Delete
Unregistered Stories:: :Members: None Edit | Delete
All groups Menublock:: Main Menu:Administration: None Edit | Delete
Unregistered Categoryblock:: Categories Menu:: None Edit | Delete
Unregistered .* .* Read
three methods to checkout the latest code from the new pn-CVS-SERVER
1. Checkout with <a href="http://www.TortoiseCVS.org"target="_blank">TortoiseCVS:
TortoiseCVS, a Win-Explorer-plugin, works with Windows 95, 98, ME, NT, 2000 and XP, is very similar to <a href="http://www.wincvs.org"target="_blank">winCVS: Here the <a href="http://www.tortoisecvs.org/download.shtml"target="_blank">TortoiseCVS-Download. For an anonymous CVS-checkout, you don´t need a developer-account:
a. Get <a href="http://www.TortoiseCVS.org"target="_blank">TortoiseCVS, (stable version 0.44 recommendet) as a Executable: Install it on your machine and create a CVS_Sandbox: install also an ssh-ftp-client, eg. from <a href="ftp://ftp.cert.dfn.de/pub/tools/net/ssh/"target="_blank">Ftp-Client. See the <a href="http://centre.ics.uci.edu/~grape/modules.php?op=modload&name=News&file=article&sid=25&mode=&order=0"target="_blank">Tutorial for the PN-module-checkout :
b. create a folder for your checkout and right-click on it. In the content menu choose CVS - Checkout and provide the following information:
- Module
Protocol - Internet (secure shell)
Server - cvs.hostnuke.com
Repository Directory - /home/cvsroot
User name - anonymous
Module - postnuke_official
- Revision
Get tag/branch: - PostNuke_71
c. when checking out a dos-box will open. type 'anonymous' as password. (if checking out as registered dev you need to provide your username/password combination)
Note. I strongly recommend to use the stable VERSION .044 to checkout from cvs.hostnuke.com. With the newer version Tortoise .054 several troubles can occur, depending on your Win-environment.
2. checkout with anonymous-access to CVS via command-line:
The PostNuke tree is in the directory postnuke_official. To do a checkout of the complete code (main branch) use:
# export CVS_RSH=ssh
then:
To check out the .7 maintenance branch use
cvs -d :ext:username@cvs.hostnuke.com:/home/cvsroot co -r PostNuke_71 postnuke_official
please provide:
user: anonymous
pass: anonymous
-> this means:
cvs -d :ext:anonymous@cvs.hostnuke.com:/home/cvsroot co -d PN_7_Series
-r PostNuke_71 postnuke_official
and for current .8 CVS.
export CVS_RSH=ssh
cvs -d:ext:anonymous@cvs.hostnuke.com:/home/cvsroot co -P postnuke_all
the password is anonymous
3. WinCVS-Access: with <a href="http://www.wincvs.org"target="_blank">winCVS:
get <a href="http://www.wincvs.org"target="_blank">winCVS for your windows or mac-machine:
in addition you need a <a href="ftp://ftp.ssh.com/pub/ssh"target="_blank">ssh-client and the <a href="http://www.Python.org"target="_blank">python V. 2.2xx-version.
The next step is to set up the WinCVS Admin->Preferences settings:
The Wincvs Admin->Preferences settings are:
authentication: ssh
path: /home/cvsroot
host address: cvs.hostnuke.com
username: anonymous
Select "Show CVS console (open TTY)"
See also the <a href="http://www.computas.com/pub/wincvs-howto/"target="_blank">WinCvs -- Daily Use Guide and the quickreference on <a href="http://developer.hostnuke.com/modules.php?op=modload&name=News&file=article&sid=2&mode=thread&order=0&thold=0"target="_blank">developer.hostnuke.com. For questions and further informations see the latest informations on <a href="http://developer.hostnuke.com"target="_blank">developer.hostnuke.com. In case of any mistakes, please set me straight.
regards martin
TortoiseCVS, a Win-Explorer-plugin, works with Windows 95, 98, ME, NT, 2000 and XP, is very similar to <a href="http://www.wincvs.org"target="_blank">winCVS: Here the <a href="http://www.tortoisecvs.org/download.shtml"target="_blank">TortoiseCVS-Download. For an anonymous CVS-checkout, you don´t need a developer-account:
a. Get <a href="http://www.TortoiseCVS.org"target="_blank">TortoiseCVS, (stable version 0.44 recommendet) as a Executable: Install it on your machine and create a CVS_Sandbox: install also an ssh-ftp-client, eg. from <a href="ftp://ftp.cert.dfn.de/pub/tools/net/ssh/"target="_blank">Ftp-Client. See the <a href="http://centre.ics.uci.edu/~grape/modules.php?op=modload&name=News&file=article&sid=25&mode=&order=0"target="_blank">Tutorial for the PN-module-checkout :
b. create a folder for your checkout and right-click on it. In the content menu choose CVS - Checkout and provide the following information:
- Module
Protocol - Internet (secure shell)
Server - cvs.hostnuke.com
Repository Directory - /home/cvsroot
User name - anonymous
Module - postnuke_official
- Revision
Get tag/branch: - PostNuke_71
c. when checking out a dos-box will open. type 'anonymous' as password. (if checking out as registered dev you need to provide your username/password combination)
Note. I strongly recommend to use the stable VERSION .044 to checkout from cvs.hostnuke.com. With the newer version Tortoise .054 several troubles can occur, depending on your Win-environment.
2. checkout with anonymous-access to CVS via command-line:
The PostNuke tree is in the directory postnuke_official. To do a checkout of the complete code (main branch) use:
# export CVS_RSH=ssh
then:
To check out the .7 maintenance branch use
cvs -d :ext:username@cvs.hostnuke.com:/home/cvsroot co -r PostNuke_71 postnuke_official
please provide:
user: anonymous
pass: anonymous
-> this means:
cvs -d :ext:anonymous@cvs.hostnuke.com:/home/cvsroot co -d PN_7_Series
-r PostNuke_71 postnuke_official
and for current .8 CVS.
export CVS_RSH=ssh
cvs -d:ext:anonymous@cvs.hostnuke.com:/home/cvsroot co -P postnuke_all
the password is anonymous
3. WinCVS-Access: with <a href="http://www.wincvs.org"target="_blank">winCVS:
get <a href="http://www.wincvs.org"target="_blank">winCVS for your windows or mac-machine:
in addition you need a <a href="ftp://ftp.ssh.com/pub/ssh"target="_blank">ssh-client and the <a href="http://www.Python.org"target="_blank">python V. 2.2xx-version.
The next step is to set up the WinCVS Admin->Preferences settings:
The Wincvs Admin->Preferences settings are:
authentication: ssh
path: /home/cvsroot
host address: cvs.hostnuke.com
username: anonymous
Select "Show CVS console (open TTY)"
See also the <a href="http://www.computas.com/pub/wincvs-howto/"target="_blank">WinCvs -- Daily Use Guide and the quickreference on <a href="http://developer.hostnuke.com/modules.php?op=modload&name=News&file=article&sid=2&mode=thread&order=0&thold=0"target="_blank">developer.hostnuke.com. For questions and further informations see the latest informations on <a href="http://developer.hostnuke.com"target="_blank">developer.hostnuke.com. In case of any mistakes, please set me straight.
regards martin
Page 80 / 277 (791 - 800 of 2763 Total)
