Your message dated Wed, 6 Jun 2012 13:56:21 -0500
with message-id <[email protected]>
and subject line Re: Bug#676311: collabtive: Arbitrary file upload/execution
has caused the Debian Bug report #676311,
regarding collabtive: Arbitrary file upload/execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
676311: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676311
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: collabtive
Version: 0.7.5-5
Severity: important
Tags: security
Information from: http://seclists.org/bugtraq/2012/Jun/6
"""
Vulnerability:
During the upload of an avatar image for a Collabtive user, the manageuser.php
script checks the file type using the MIME type provided in the POST request
(via the $_FILES['userfile']['type'] variable) rather than by extension. This
MIME type can be spoofed via an intercepting proxy or custom POST script
allowing a malicious user to upload an arbitrary file. This file will be placed
in a predictable web accessible path with an easily determined name. In most
installations, execution from this directory is not restricted which allows a
remote attacker to execute a PHP script uploaded this way with the privileges
of the web user.
Access to the avatar upload function is restricted to logged in users, but
because of Collabtive's design decisions in implementing OpenID support, this
is easily accomplished. If an unknown user supplies a valid OpenID v1.0 URL as
the username on the login page, Collabtive will automatically create a new user
based on the referenced credentials. That new user is not authorized to access
any projects, but is authorized to upload an avatar image. This allows an
attacker with no other knowledge of the host site or its users to exploit the
vulnerability."""
Fix: Upgrade to Collabtive v0.7.6 or greater
Please contact me in case this needs more testing/verification.
http://xync.org/2012/06/04/Arbitrary-File-Upload-in-Collabtive.html
- Henri Salo
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Version: 0.7.6-1
Hi,
Version 0.7.6-1 was uploaded six days ago; 0.7.5-5 will be soon
replaced by it as soon as the migration period to testing is over.
I will be including the snippet mentioned in seclists.org as part of
the Apache configuration, though, starting with the next version.
Thanks,
--- End Message ---
