Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » [OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)

[OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)

by Nikola Strahija on October 23rd, 2002 Vulnerability: cross side scripting


Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= apache-1.3.22-1.0.5 >= apache-1.3.22-1.0.6
OpenPKG 1.1 <= apache-1.3.26-1.1.1 >= apache-1.3.26-1.1.2
OpenPKG CURRENT <= apache-1.3.27-20021009 >= apache-1.3.27-20021023

Description:
Joe Orton discovered a cross site scripting (XSS)
bug [3] in mod_ssl [1], the SSL/TLS component for the Apache webserver
[2]. Like the other recent Apache XSS bugs, this only affects servers
using a combination of "UseCanonicalName off" (_not_ the default in
OpenPKG package of Apache) and a wildcard A record of the server in
the DNS. Although this combination for HTTPS servers is even less
common than with plain HTTP servers, this nevertheless could allow
remote attackers to execute client-side script code as other web page
visitors via the HTTP "Host" header.

Please check whether you are affected by running "/bin/rpm -q
apache". If you have an affected version of the "apache" package (see
above), upgrade it according to the solution below. Remember to also
rebuild and reinstall any dependent OpenPKG packages. [4]

Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6][7], fetch it from the OpenPKG FTP service or a mirror location,
verify its integrity [8], build a corresponding binary RPM from it
and update your OpenPKG installation by finally installing the binary
RPM [4]. For the latest OpenPKG 1.1 release, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).

$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get apache-1.3.26-1.1.2.src.rpm
ftp> bye
$ /bin/rpm --checksig apache-1.3.26-1.1.2.src.rpm
$ /bin/rpm --rebuild apache-1.3.26-1.1.2.src.rpm
$ su -
# /bin/rpm -Fvh /RPM/PKG/apache-1.3.26-1.1.2.*.rpm
# /etc/rc apache stop start
________________________________________________________________________

References:
[1] http://www.modssl.org/
[2] http://httpd.apache.org/
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
[4] http://www.openpkg.org/tutorial.html#regular-source
[5] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpm
[6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm
[7] ftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpm
[8] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG " (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com".


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »