HP3000-L Archives

August 2002, Week 2

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: [HP-UX] CIAC Bulletin M-108: HP Apache Server Vulnerability in PHP (fwd)
From:
Mark Bixby <[log in to unmask]>
Reply To:
Mark Bixby <[log in to unmask]>
Date:
Mon, 12 Aug 2002 10:07:46 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (76 lines) 
The bug is in PHP, not Apache.  If you are not using PHP, then you are not
vulnerable.  CSY does not distribute a PHP for MPE.

- Mark B.

Johnson, Tracy wrote:

> I read the following regarding today HPC-UX.
>
> Is MPE/iX also vulnerable?
>
> Tracy Johnson
> MSI Schaevitz Sensors
>
> [FOR PUBLIC RELEASE]
> -----BEGIN PGP SIGNED MESSAGE-----
>
>                 __________________________________________________________
>
>                        The U.S. Department of Energy
>                    Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>              __________________________________________________________
>
>                              INFORMATION BULLETIN
>
>                      HP Apache Server Vulnerability in PHP
>                                 [HPSBUX0208-207]
>
> August 9, 2002 19:00 GMT                                          Number M-108
> ______________________________________________________________________________
> PROBLEM:       The potential exists for a remotely exploitable vulnerability
>                in the portion of PHP code responsible for handling file
>                uploads, specifically multipart/form-data.
> PLATFORM:      HP9000 Servers running HP-UX release 11.00, 11.11, 11.20, and
>                11.22 with the HP Apache product installed.
> DAMAGE:        Potential for increased privilege, denial of service, or
>                execution of arbitrary code.
> SOLUTION:      Install product bundles as described below.
> ______________________________________________________________________________
> VULNERABILITY  The risk is HIGH. Exploiting this vulnerability could lead to
> ASSESSMENT:    an increase of privileges, denial of service, or execution of
>                arbitrary code. It is remotely exploitable.
> ______________________________________________________________________________
> LINKS:
>  CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-108.shtml
>  ORIGINAL BULLETIN:  http://online.securityfocus.com/advisories/4362
> ______________________________________________________________________________
>
> [***** Start HPSBUX0208-207 *****]
>
> http://www.ciac.org/ciac/bulletins/m-108.shtml
>
> [***** End HPSBUX0208-207 *****]
>
> -----BEGIN PGP SIGNATURE-----
>
> [PGP signature snipped.  What?  You don't trust or believe it's from
> the govern-meant?]
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>
>


--
[log in to unmask]
Remainder of .sig suppressed to conserve expensive California electrons...

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2