<<< Date Index >>>     <<< Thread Index >>>

OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability.



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : 
Perl cross-site scripting vulnerability. 
Advisory number:        CSSA-2003-SCO.30
Issue date:             2003 November 06
Cross reference:        sr883606 fz528215 erg712409
______________________________________________________________________________


1. Problem Description

        Perl is a high-level interpreted programming language well
        known for its flexibility and ability to work with text
        streams. 

        Obscure^ (obscure@xxxxxxxxxxxxxxxxx) reported a cross site
        scripting vulnerability in the CGI.pm perl module. This
        module is used to facilitate the creation of web forms and
        is part of the perl-modules RPM package.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.7                Perl distribution
        OpenServer 5.0.6                Perl distribution
        OpenServer 5.0.5                Perl distribution


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7 
        
        4.1 First install Maintenance Pack 1
        
        ftp://ftp.sco.com/pub/openserver5/507/osr507mp/

        4.2 Next install gxwlibs

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

        4.2 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

        4.3 Verification

        MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
        MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
        MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
        MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.4 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.


5. OpenServer 5.0.6 / OpenServer 5.0.5

        5.1 First install OSS646B - Execution Environment Supplement
        
        ftp://ftp.sco.com/pub/openserver5/oss646b

        5.2 Next install gwxlibs

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

        5.3 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

        5.4 Verification

        MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
        MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
        MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
        MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.5 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.



6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 
                http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 
                http://eyeonsecurity.org/advisories/CGI.pm/adv.html

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr883606 fz528215 
        erg712409.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

8. Acknowledgments

        SCO would like to thank Obscure^ for reporting this issue.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9
LzUtvWmI6sIIeitugMgsyRg=
=2/ex
-----END PGP SIGNATURE-----