-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. Advisory number: CSSA-2003-SCO.30.1 Issue date: 2003 November 11 Cross reference: sr883606 fz528215 erg712409 ______________________________________________________________________________ 1. Problem Description UPDATED: Due to a packaging problem with perl-5.8.1Ab this package has been updated to version perl-5.8.1Ac. Perl is a high-level interpreted programming language well known for its flexibility and ability to work with text streams. Obscure^ (obscure@eyeonsecurity.org) reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.7 Perl distribution OpenServer 5.0.6 Perl distribution OpenServer 5.0.5 Perl distribution 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7 4.1 First install Maintenance Pack 1 ftp://ftp.sco.com/pub/openserver5/507/osr507mp/ 4.2 Next install gxwlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 4.3 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 4.4 Verification MD5 (VOL.000.000) = 4ad16a3ad6efff072c5b92b9178abc16 MD5 (VOL.000.001) = 39dafe09c7982f00b78886c3cd76489c MD5 (VOL.000.002) = 44eaaa63e8ca8e01d2bc7ac71033eb62 MD5 (VOL.000.003) = 763cbb2b6b345e23b8c5c309dd0bbe9b md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.5 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. OpenServer 5.0.6 / OpenServer 5.0.5 5.1 First install OSS646B - Execution Environment Supplement ftp://ftp.sco.com/pub/openserver5/oss646b 5.2 Next install gwxlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 5.3 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 5.4 Verification MD5 (VOL.000.000) = 4ad16a3ad6efff072c5b92b9178abc16 MD5 (VOL.000.001) = 39dafe09c7982f00b78886c3cd76489c MD5 (VOL.000.002) = 44eaaa63e8ca8e01d2bc7ac71033eb62 MD5 (VOL.000.003) = 763cbb2b6b345e23b8c5c309dd0bbe9b md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.5 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 http://eyeonsecurity.org/advisories/CGI.pm/adv.html SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883606 fz528215 erg712409. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank Obscure^ for reporting this issue. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/sU7iaqoBO7ipriERApiFAJ4uCqdtEHrNhXqvOip/7j1DOAJH0wCbBKzG 3Gbg5dgNJbpz1PUAJessLkA= =vUeq -----END PGP SIGNATURE-----