LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 19th, 2014
Linux Security Week: September 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: August 19th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for amd64, fetchmail, Mozilla, heartbeat, clamav, lam, vim, evolution, audit, evolution, mc, kdeaddons, kdeadmin, kdebase, kdedu, kdegames, kdegraphics, kdemultimedia, kdenetwork, kdepim, kdesdk, kdetoys, kdeutils, kdevelop, kdewebdev, koffice, xpdf, arts, kdepim, epiphany, kdbg, doxygen, ncpfs, gaim, pcre, tar, vnc, metacity, cups, pygtk, shadow-utils, and netpbm. The distributors include Debian, Fedora, Gentoo, an Red Hat.


Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design.

Hacks From Pax: PHP Web Application Security, Part II

Another common cause of PHP application holes is improper sanitization of user provided data. For example, if you allow a user to fill out a form and then pass data from a field on that form to a function like system() or exec() the data could contain something malicious, like an ; rm -rf * command tacked onto it.

  • Never trust user provided data.
  • Beware functions that launch system commands, think long and hard about checking any data that is passed to them.

Another related but common security flaw in PHP applications is a SQL injection vulnerability. The magic_quotes_gpc option can mitigate this, but as with register_globals you should not assume this setting is on.

For example, in your PHP script you might ask the user for a user id and password, and then check for the user by passing the database a query.

SELECT * FROM users WHERE name='$username' AND pass='$password';

However, if the user logging in is malicious and devious, he may enter the following as his password:

' OR '1'='1

This causes your query to become:

SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1';

The user has just logged in with no password, and your application has been penetrated. To avoid this, check for the status of magic_quotes_gpc() using the ini_get() function and if it is disabled, pass all user input that must be included in a query through addslashes(). This will escape the single or double quotes in the user input with backslashes, thereby thwarting the attempted SQL injection attack.

  • Use magic_quotes_gpc, but don't assume it is on or depend on it.
  • The addslashes() function should be used on user data passed to SQL queries.
  • Again, you simply cannot trust user provided data.

The PHP online manual contains an entire chapter on PHP security. It's an excellent resource, and goes into much more detail on the PHP security issues I've discussed in this article. Until next time, stay secure, and don't blindly trust any user provided data.

Read Entire Article:
http://www.linuxsecurity.com/content/view/120043/49/


LinuxSecurity.com Feature Extras:

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New amd64 packages fix several bugs
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120074
 
  Debian: New fetchmail packages fix arbitrary code execution
  12th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120076
 
  Debian: New Mozilla packages fix frame injection spoofing vulnerability
  15th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120082
 
  Debian: New heartbeat packages fix insecure temporary files
  15th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120086
 
  Debian: New clamav packages fix several problems
  16th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120124
 
  Debian: New Mozilla packages fix frame injection spoofing vulnerability
  17th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120126
 
   Fedora
  Fedora Core 4 Update: system-config-bind-4.0.0-28_FC4
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120066
 
  Fedora Core 3 Update: system-config-bind-4.0.0-28
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120067
 
  Fedora Core 4 Update: system-config-netboot-0.1.24-1_FC4
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120068
 
  Fedora Core 3 Update: system-config-netboot-0.1.24-1_FC3
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120069
 
  Fedora Core 4 Update: lam-7.1.1-7.FC4
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120070
 
  Fedora Core 3 Update: lam-7.1.1-7.FC3
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120071
 
  Fedora Core 3 Update: vim-6.3.086-0.fc3
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120072
 
  Fedora Core 4 Update: vim-6.3.086-0.fc4
  11th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120073
 
  Fedora Core 4 Update: evolution-data-server-1.2.3-2.fc4
  15th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120087
 
  Fedora Core 4 Update: audit-1.0.2-3.FC4
  15th, August, 2005

This update fixes several problems where the audit system is used on systems with SE Linux disabled, it provides a sample CAPP configuration, adds new auditd config option to keep all logs instead of rotating them, and does some sanity checks on some rules before sending them to the kernel.

http://www.linuxsecurity.com/content/view/120088
 
  Fedora Core 3 Update: evolution-2.0.4-6
  15th, August, 2005

Fix for SITIC Vulnerability Advisory SA05-001

http://www.linuxsecurity.com/content/view/120089
 
  Fedora Core 4 Update: evolution-2.2.3-2.fc4
  15th, August, 2005

Fix for SITIC Vulnerability Advisory SA05-001

http://www.linuxsecurity.com/content/view/120090
 
  Fedora Core 4 Update: mc-4.6.1a-0.11.FC4
  15th, August, 2005

This update cotains the new official release of the GNU/Midnight Commander 4.6.1.

http://www.linuxsecurity.com/content/view/120091
 
  Fedora Core 3 Update: mc-4.6.1-1.FC3
  15th, August, 2005

This update cotains the new official release of the GNU/Midnight Commander 4.6.1.

http://www.linuxsecurity.com/content/view/120092
 
  Fedora Core 3 Update: system-config-netboot-0.1.26-1_FC3
  15th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120093
 
  Fedora Core 3 Update: vim-6.3.086-0.fc3.1
  15th, August, 2005

CAN-2005-2368 This update is supposed to fix GTK2 dependency problems of the vim-6.3.086-0.fc3 package.

http://www.linuxsecurity.com/content/view/120094
 
  Fedora Core 3 Update: kdeaddons-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120095
 
  Fedora Core 3 Update: kdeadmin-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120096
 
  Fedora Core 3 Update: kdeartwork-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120097
 
  Fedora Core 3 Update: kdebindings-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120098
 
  Fedora Core 3 Update: kdebase-3.4.2-0.fc3.2
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120099
 
  Fedora Core 3 Update: kdeedu-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120100
 
  Fedora Core 3 Update: kdegames-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120101
 
  Fedora Core 3 Update: kdegraphics-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120102
 
  Fedora Core 3 Update: kde-i18n-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120103
 
  Fedora Core 3 Update: kdelibs-3.4.2-0.fc3.2
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120104
 
  Fedora Core 3 Update: kdemultimedia-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120105
 
  Fedora Core 3 Update: kdenetwork-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120106
 
  Fedora Core 3 Update: kdepim-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120107
 
  Fedora Core 3 Update: kdesdk-3.4.2-0.fc3.2
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120108
 
  Fedora Core 3 Update: kdetoys-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120109
 
  Fedora Core 3 Update: kdeutils-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120110
 
  Fedora Core 3 Update: kdevelop-3.2.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120111
 
  Fedora Core 3 Update: kdewebdev-3.4.2-0.fc3.1
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120112
 
  Fedora Core 3 Update: koffice-1.4.1-0.FC3.2
  15th, August, 2005

update to 1.4.1

http://www.linuxsecurity.com/content/view/120113
 
  Fedora Core 4 Update: xpdf-3.00-20.FC4.2
  15th, August, 2005

A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.

http://www.linuxsecurity.com/content/view/120114
 
  Fedora Core 3 Update: xpdf-3.00-10.6.FC3
  15th, August, 2005

A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.

http://www.linuxsecurity.com/content/view/120115
 
  Fedora Core 3 Update: arts-1.4.2-0.fc3.2
  15th, August, 2005

update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120116
 
  Fedora Core 3 Update: kdeedu-3.4.2-0.fc3.2
  15th, August, 2005

Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain.

http://www.linuxsecurity.com/content/view/120117
 
  Fedora Core 3 Update: arts-1.4.2-0.fc3.3
  15th, August, 2005

Update to KDE 3.4.2

http://www.linuxsecurity.com/content/view/120118
 
  Fedora Core 4 Update: kdepim-3.4.2-0.fc4.3
  15th, August, 2005

This update should fix a bug which caused kmail saves attachments as zero-sized files

http://www.linuxsecurity.com/content/view/120119
 
  Fedora Core 4 Update: epiphany-1.6.5-1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120132
 
  Fedora Core 4 Update: system-config-netboot-0.1.26-1_FC4
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120133
 
  Fedora Core 3 Update: kdbg-2.0.0-0.fc3.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120134
 
  Fedora Core 4 Update: doxygen-1.4.4-0.fc4.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120135
 
  Fedora Core 4 Update: kdbg-2.0.0-0.fc4.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120136
 
  Fedora Core 4 Update: kdeedu-3.4.2-0.fc4.2
  18th, August, 2005

Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked.

http://www.linuxsecurity.com/content/view/120137
 
  Fedora Core 3 Update: ncpfs-2.2.4-4.FC3.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120138
 
  Fedora Core 3 Update: gaim-1.5.0-1.fc3
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120139
 
  Fedora Core 4 Update: gaim-1.5.0-1.fc4
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120140
 
  Fedora Core 3 Update: system-config-bind-4.0.0-30
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120141
 
  Fedora Core 4 Update: system-config-bind-4.0.0-30_FC4
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120142
 
  Fedora Core 3 Update: pcre-4.5-3.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120143
 
  Fedora Core 4 Update: tar-1.15.1-8.FC4
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120144
 
  Fedora Core 4 Update: gstreamer-plugins-0.8.8-9
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120145
 
  Fedora Core 4 Update: vnc-4.1.1-10.1
  18th, August, 2005

This package disables the render patch, which was causing problems when using the loadable X module.

http://www.linuxsecurity.com/content/view/120146
 
  Fedora Core 3 Update: netpbm-10.28-1.FC3.2
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120147
 
  Fedora Core 4 Update: metacity-2.10.3-1
  18th, August, 2005

This update of metacity fixes the behavior of minimized transient dialogs for some applications.

http://www.linuxsecurity.com/content/view/120148
 
  Fedora Core 4 Update: cups-1.1.23-15.1
  18th, August, 2005

These updated packages fix a problem handling PDF files that could have security implications.

http://www.linuxsecurity.com/content/view/120149
 
  Fedora Core 3 Update: cups-1.1.22-0.rc1.8.6
  18th, August, 2005

These updated packages fix a problem handling PDF files that could have security implications.

http://www.linuxsecurity.com/content/view/120150
 
  Fedora Core 4 Update: pygtk2-2.6.2-0.fc4.1
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120151
 
  Fedora Core 4 Update: shadow-utils-4.0.7-10.FC4
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120152
 
  Fedora Core 4 Update: netpbm-10.28-1.FC4.2
  18th, August, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120153
 
   Gentoo
  Gentoo: Gaim Remote execution of arbitrary code
  15th, August, 2005

Gaim is vulnerable to a buffer overflow which could lead to the execution of arbitrary code or to a Denial of Service.

http://www.linuxsecurity.com/content/view/120081
 
  Gentoo: AWStats Arbitrary code execution using malicious Referrer information
  16th, August, 2005

AWStats fails to validate certain log input, which could lead to the execution of arbitrary Perl code during the generation of the statistics.

http://www.linuxsecurity.com/content/view/120122
 
  Gentoo: Xpdf, Kpdf, GPdf Denial of Service vulnerability
  16th, August, 2005

Xpdf, Kpdf and GPdf may crash as a result of a Denial of Service vulnerability.

http://www.linuxsecurity.com/content/view/120123
 
  Gentoo: bluez-utils Bluetooth device name validation vulnerability
  17th, August, 2005

Improper validation of Bluetooth device names can lead to arbitrary command execution.

http://www.linuxsecurity.com/content/view/120130
 
   Red Hat
  RedHat: Critical: Adobe Acrobat Reader security update
  16th, August, 2005

Updated acroread packages that fix a security issue are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120125
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Encryption goof fixed in TorrentLocker file-locking malware
Qubes: The Open Source OS Built for Security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.