The bug is in PHP, not Apache. If you are not using PHP, then you are not
vulnerable. CSY does not distribute a PHP for MPE.
- Mark B.
Johnson, Tracy wrote:
> I read the following regarding today HPC-UX.
>
> Is MPE/iX also vulnerable?
>
> Tracy Johnson
> MSI Schaevitz Sensors
>
> [FOR PUBLIC RELEASE]
> -----BEGIN PGP SIGNED MESSAGE-----
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> HP Apache Server Vulnerability in PHP
> [HPSBUX0208-207]
>
> August 9, 2002 19:00 GMT Number M-108
> ______________________________________________________________________________
> PROBLEM: The potential exists for a remotely exploitable vulnerability
> in the portion of PHP code responsible for handling file
> uploads, specifically multipart/form-data.
> PLATFORM: HP9000 Servers running HP-UX release 11.00, 11.11, 11.20, and
> 11.22 with the HP Apache product installed.
> DAMAGE: Potential for increased privilege, denial of service, or
> execution of arbitrary code.
> SOLUTION: Install product bundles as described below.
> ______________________________________________________________________________
> VULNERABILITY The risk is HIGH. Exploiting this vulnerability could lead to
> ASSESSMENT: an increase of privileges, denial of service, or execution of
> arbitrary code. It is remotely exploitable.
> ______________________________________________________________________________
> LINKS:
> CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-108.shtml
> ORIGINAL BULLETIN: http://online.securityfocus.com/advisories/4362
> ______________________________________________________________________________
>
> [***** Start HPSBUX0208-207 *****]
>
> http://www.ciac.org/ciac/bulletins/m-108.shtml
>
> [***** End HPSBUX0208-207 *****]
>
> -----BEGIN PGP SIGNATURE-----
>
> [PGP signature snipped. What? You don't trust or believe it's from
> the govern-meant?]
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>
>
--
[log in to unmask]
Remainder of .sig suppressed to conserve expensive California electrons...
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|