[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Analog version 5.23



Dear analog compilers,

I've just issued version 5.23 of analog, with the following security warning
against previous versions. But note that this warning only affects the form
interface.

-- 
Stephen Turner, Cambridge, UK    http://homepage.ntlworld.com/adelie/stephen/
"This is Henman's 8th Wimbledon, and he's only lost 7 matches." BBC, 2/Jul/01

=============================================================================

SECURITY ADVISORY                                        14th May 2002
----------------------------------------------------------------------
Program: analog form interface, anlgform.pl
Versions: all versions prior to 5.23
Operating systems: all
Type: denial of service (disk space)
----------------------------------------------------------------------
This advisory _only_ affects users who have installed the optional
form interface to analog, anlgform.pl, and made it available to
untrusted users. Please note that it's not usually a good idea to do
this anyway. There are other obvious denial-of-service attacks
available to malicious users who can run CPU-intensive programs on
your system, which this advisory cannot and does not attempt to
address.

anlgform.pl is the CGI front end to analog, allowing analog to be
controlled from a web form. As a security precaution, anlgform refuses
to pass on to analog certain commands which should not be available to
untrusted users.

In all versions prior to 5.23, the default installation of the program
omitted one command which should have been on this forbidden list. The
PROGRESSFREQ command allows regular updates on the progress of analog
to be written to stderr. If an untrusted user can use this command, he
can set the updates to be written very often, quickly filling up the
web server error log. On a typical machine, this could prevent any
messages being written to any other system log files, which could mask
another attack.

Users in the vulnerable category are advised to consider whether
anlgform.pl should be available to untrusted users at all. If they
still want to make it available, they are advised to upgrade to
version 5.23 of analog immediately. The URL for analog is
  http://www.analog.cx/

                                                        Stephen Turner
                                         analog-author_(_at_)_lists_(_dot_)_isite_(_dot_)_net



Visit your host, monkey.org