SECURITY ADVISORY 14th May 2002 ---------------------------------------------------------------------- Program: analog form interface, anlgform.pl Versions: all versions prior to 5.23 Operating systems: all Type: denial of service (disk space) ---------------------------------------------------------------------- This advisory _only_ affects users who have installed the optional form interface to analog, anlgform.pl, and made it available to untrusted users. Please note that it's not usually a good idea to do this anyway. There are other obvious denial-of-service attacks available to untrusted users who can run CPU-intensive programs on your system, which this advisory cannot and does not attempt to address. anlgform.pl is the CGI front end to analog, allowing analog to be controlled from a web form. As a security precaution, anlgform refuses to pass on to analog certain commands which should not be available to untrusted users. In all versions prior to 5.23, the default installation of the program omitted one command which should have been on this forbidden list. The PROGRESSFREQ command allows regular updates on the progress of analog to be written to stderr. If an untrusted user can use this command, he can set the updates to be written very often, quickly filling up the web server error log. On a typical machine, this could prevent any messages being written to any other system log files, which could mask another attack. Users in the vulnerable category are advised to consider whether anlgform.pl should be available to untrusted users at all. If they still want to make it available, they are advised to upgrade to version 5.23 of analog immediately. The URL for analog is http://www.analog.cx/ Stephen Turner [email protected]
Stephen Turner