Yellow Dog Linux Security Announcement -------------------------------------- Package: piranha Issue Date: May 02, 2000 Update Date: May 02, 2000 Priority: high Advisory ID: YDU-2000502-1 1. Topic: The GUI portion of Red Hat's Piranha software may allow any remote attacker to execute commands on the server. This may allow a remote attacker to launch additional exploits against a web site from inside the web server. 2. Problem: The following information is from Red Hat's errata page: When Piranha is installed, it generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be released with a blank password. Unfortunately, the password that is actually on the CD is 'Q'. The original intent was that, when the administrator installed Piranha rpms onto their box, that they would change the default blank password to a password of their own choosing. This is not a hidden account. Its only use is to protect the web pages from unauthorized access. The security problem arises from the http://localhost/piranha/secure/passwd.php3 file. It is possible to execute commands by entering 'blah;some-command' into the password fields. Everything after the semicolon is executed with the same privilege as the webserver. Because of this, it is possible to compromise the webserver or do serious damage to files on the site that are owned by the user 'nobody' or to export a shell using xterm. This update, piranha-0.4.14-1 disables the piranha web interface by default. The site administrator will need to enable the service manually as described by the main page of the piranha utility. Users that are not actively using Piranha on their system are urged to remove the piranha-gui package from their system using the following command. rpm -e piranha-gui 3. Solution: a) Updating via yup... We suggest that you use the Yellow Dog Update Program (yup) to keep your system up-to-date. The following command will automatically retrieve and install the fixed version of man onto your system: yup update piranha yup update piranha-docs yup update piranha-gui b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/ piranha-0.4.14-1.ppc.rpm piranha-docs-0.4.14-1.ppc.rpm piranha-gui-0.4.14-1.ppc.rpm rpm -Fvh piranha-0.4.14-1.ppc.rpm rpm -Fvh piranha-docs-0.4.14-1.ppc.rpm rpm -Fvh piranha-gui-0.4.14-1.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- dbeef5c36b6ed6898978da30475bb395 RPMS/piranha-0.4.14-1.ppc.rpm b45486eafcfe87c7f40977d991f3e2e7 RPMS/piranha-docs-0.4.14-1.ppc.rpm f29c0e0545034428b52ae80817d90b67 RPMS/piranha-gui-0.4.14-1.ppc.rpm a8f97a9de5fe7561dd576a913201e267 SRPMS/piranha-0.4.14-1.src.rpm All updates are signed by Terra Soft Solutions, Inc. with our GPG key which is available at: http://www.yellowdoglinux.com/resources/public_key.shtml You can verify each package with the following command: rpm --checksig filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of yup, the Yellow Dog Update Program, see http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml