TUCoPS :: SCO :: bt1658.txt

OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability.



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. 
Advisory number: 	CSSA-2003-SCO.30
Issue date: 		2003 November 06
Cross reference:	sr883606 fz528215 erg712409
______________________________________________________________________________


1. Problem Description

	Perl is a high-level interpreted programming language well
	known for its flexibility and ability to work with text
	streams. 

	Obscure^ (obscure@eyeonsecurity.org) reported a cross site
	scripting vulnerability in the CGI.pm perl module. This
	module is used to facilitate the creation of web forms and
	is part of the perl-modules RPM package.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.7 		Perl distribution
	OpenServer 5.0.6		Perl distribution
	OpenServer 5.0.5 		Perl distribution


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.7 
	
	4.1 First install Maintenance Pack 1
	
	ftp://ftp.sco.com/pub/openserver5/507/osr507mp/

	4.2 Next install gxwlibs

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

	4.2 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

	4.3 Verification

	MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
	MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
	MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
	MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.4 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.


5. OpenServer 5.0.6 / OpenServer 5.0.5

	5.1 First install OSS646B - Execution Environment Supplement
	
	ftp://ftp.sco.com/pub/openserver5/oss646b

	5.2 Next install gwxlibs

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

	5.3 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

	5.4 Verification

	MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
	MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
	MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
	MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.5 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.



6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 
		http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 
		http://eyeonsecurity.org/advisories/CGI.pm/adv.html

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr883606 fz528215 
	erg712409.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.

8. Acknowledgments

	SCO would like to thank Obscure^ for reporting this issue.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9
LzUtvWmI6sIIeitugMgsyRg=
=2/ex
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH