Your message dated Wed, 11 Jan 2017 11:34:04 +0000 with message-id <[email protected]> and subject line Bug#746432: fixed in ocsinventory-server 2.2+dfsg-0.1 has caused the Debian Bug report #746432, regarding ocsinventory-reports oversanitizes GET and POST data to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 746432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746432 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ocsinventory-reports Version: 2.0.5-1.1 Severity: important Dear Maintainer, ocsinventory-reports oversanitizes GET and POST data. In require/header.php there are the following three lines 179-181: //SECURITY $protectedPost=strip_tags_array($_POST); $protectedGet=strip_tags_array($_GET); strip_tags_array is included in require/function_commun.php and applies PHP's intrinsic strip_tags to an entire array. This means that everything from a lesser sign to the next greater sign or the end of the string (whichever comes first) will be removed from all data supplied to the application by the user. This means that for example passwords containing lesser signs will not be handled correctly. Steps to reproduce: 1. Setup a clean OCS inventory reports installation, make sure logging in with the initial password admin/admin works. 2. Use the following SQL command line to manually change the password to "<hello>": echo "UPDATE operators SET passwd=MD5('a<b12345') WHERE ID='admin';"\ | mysql -p ocsweb 3. Try to login with the username admin and the password a<b12345. Note that if you change the password in the interface (and not the database directly), the same bug also affects the password change field. Therefore, logging in still works, but two serious problems remain here: a. If you upgrade from a previous version that did not do this (e.g. Squeeze), then the database will still contain MD5 hashes of older passwords that potentially contained this character. In that case, logging in is not possible. b. Suppose an administrator wants to set a somewhat strong password such as "2<AB557Gdv!3fghnj" (made up just for this bug report), and they do that in the web interface. Then strip_tags on that password will remove everything after the lesser sign and the password that will actually be stored in the database is going to be just "2", which is incredibly weak. And they may not notice it, since typing in the full password in the login screen still works, because the login screen also truncates it. Since this code appeared between 2.0.1 and 2.0.2, presumably this was done to mitiagate CVE-2011-4024, a XSS vulnerability. The problem here is that while using strip_tags does mitigate the XSS, it is actually not the proper fix. See the OWASP for more details: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet I have had a short look at the source code of ocsinventory-reports and properly mitigating XSS without resorting to this quick&dirty strip_tags mitigation seems to necessitate touching a large amount of the PHP source code. The main issue here is the password handling, there are not that many places elsewhere in the software where user data is actually entered in this way (most data is collected via ocsinventory-server, which is a completely different codebase), so if you are interested, I can provide a patch that just works around the password issue. That wouldn't completely resolve this bug (since other data is also affected by strip_tags here), but it would reduce its severity. Thank you!
--- End Message ---
--- Begin Message ---Source: ocsinventory-server Source-Version: 2.2+dfsg-0.1 We believe that the bug you reported is fixed in the latest version of ocsinventory-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <[email protected]> (supplier of updated ocsinventory-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 09 Jan 2017 11:52:00 +0100 Source: ocsinventory-server Binary: ocsinventory-server ocsinventory-reports Architecture: source all Version: 2.2+dfsg-0.1 Distribution: unstable Urgency: low Maintainer: Pierre Chifflier <[email protected]> Changed-By: Ondřej Surý <[email protected]> Description: ocsinventory-reports - Hardware and software inventory tool (Administration Console) ocsinventory-server - Hardware and software inventory tool (Communication Server) Closes: 732899 746429 746432 821539 822159 848444 848478 Changes: ocsinventory-server (2.2+dfsg-0.1) unstable; urgency=low . [ Jean-Michel Vourgère ] * New upstream release: (Closes: #822159) - No longer oversatinizing passwords. (Closes: #746432) - Updated dependencies requirements, including for PHP7. (Closes: #821539) - d/copyright: Strip upstream source from ieee-data, libjs-bootstrap, libjs-elycharts, libjs-jquery, libjs-jquery-datatables, libjs-jquery-ui, libjs-jquery-migrate-1, libjs-raphael, php-cas, and phpqrcode. Added +dfsg suffix to d/watch. New patch use_system_libraries. - Drop patch 03_oui_format, applied uptream. - Refreshed apache2 conf files from upstream. New lintian overrides. - reports.post(inst|rm): New directory for logs. * New d/patch/mainsection_dir cherry picked from upstream master. * Updated d/watch after upstream move to github. * New patch apache_conf_name to fix the help. * Added alternatives to libapache2-mod-php dependency. (Closes: #746429) * Added alternative to mysql-client dependency for MariaDB. (Closes: #732899) * Dropped unused lintian overrides. * d/rules: Tuned .pl permissions, no longer cleaning main_menu.xml.bak. * Add d/README.source to work around uscan crash. * Bumped policy version to 3.9.8: No change required. * Switched Vcs-Git: to a secure uri scheme. * New lintian override for datetimepicker.js source with long lines. * Updated mysql packages names and alternatives (Closes: #848444, #848478) . [ Ondřej Surý ] * Non-maintainer upload to finally get rid of php5 in unstable Checksums-Sha1: bb954edd11198f8dc3c6f9a9c2e4ddf5b24638ad 2343 ocsinventory-server_2.2+dfsg-0.1.dsc 52236455bdcbf9d6126012b8c32a4d5752168c85 901684 ocsinventory-server_2.2+dfsg.orig.tar.gz 74ff43ed1e54780bb1dca277803e6085fcee93b0 18904 ocsinventory-server_2.2+dfsg-0.1.debian.tar.xz 76ba078328d4de25ad51b864336c0f5e502ce737 594664 ocsinventory-reports_2.2+dfsg-0.1_all.deb a3c6c9b95281c9d34a0a13dd3c50b15d83aa9016 76912 ocsinventory-server_2.2+dfsg-0.1_all.deb 6c973d07d704f7d37722d2406e48815561f55e58 5591 ocsinventory-server_2.2+dfsg-0.1_amd64.buildinfo Checksums-Sha256: d84268c949dbb4721b41d90ab9d2fff381f2ba1a886e5436c33e7d9e0162b930 2343 ocsinventory-server_2.2+dfsg-0.1.dsc e8666255454a1c001c684d26a079a81b2fd4111f97f4faacf85bc534fb86fe2b 901684 ocsinventory-server_2.2+dfsg.orig.tar.gz 01edabde687c3f143fbe4c03b71bc5139df5786ba2da9b2aacf3f617315826ac 18904 ocsinventory-server_2.2+dfsg-0.1.debian.tar.xz 409c1e1126c57ca63cf53be07ede90aae91f907f5d6ddef80356b7c9dfe0df3f 594664 ocsinventory-reports_2.2+dfsg-0.1_all.deb a650d7f7385a41751b75e0a37e54fbb23a1e959b3a224060332f9386992c7195 76912 ocsinventory-server_2.2+dfsg-0.1_all.deb 2636e62648438b651bff17c26bc38d7abbba7dacb8fdaad930c5d1e1e2c404a0 5591 ocsinventory-server_2.2+dfsg-0.1_amd64.buildinfo Files: 65597d6b00b3be725fdbdbbfc8606a30 2343 web extra ocsinventory-server_2.2+dfsg-0.1.dsc 5e66685cc1acb51b79753c354f7487a1 901684 web extra ocsinventory-server_2.2+dfsg.orig.tar.gz 08ce0ef14653db45297f5b31f1fc1e85 18904 web extra ocsinventory-server_2.2+dfsg-0.1.debian.tar.xz b5d3e4d04f454e13e20c38e7bc4c0c80 594664 web extra ocsinventory-reports_2.2+dfsg-0.1_all.deb 6bb11b97297332a59ee140209396708f 76912 web extra ocsinventory-server_2.2+dfsg-0.1_all.deb 7fc14ddeadbbedc74b3138ec022ae164 5591 web extra ocsinventory-server_2.2+dfsg-0.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlhzbSxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8 uwffOg/9E4edq7j971qCicCdpwMl7a1vhnyL56kHpbevoN8GinIKzvHyC5zFGSHj E3NUMuJgqjl0jC5ZOXPcOpfp/jhMpWnTzLZs6w/A0CCqu2WYrtTXWhjfhJp4G+HD P/8xTKTo6QsodJzFQHk94e3tO5zQDfUb2o/JXVwsja12zJyjBfGNeIuEEFqi2QcQ LD999RbJsTQ2/Mi0oa8zYruoWEX+w85ZXR1pOx6nY13JmYiPwtp15htiza/Df7JK l5Fr2rqoqk+6CVwLpuioq0DcNRLDX6ZS1qoLCL/GNBBosZVcTY67Cf6OCk80c5TC ctHzfFnY2fJYBg5COApLBI3DWqE5uP4Na+jMxAeBvZJG9RneYoxbCmWhtNH1hB9m y3ozv5XZ9R60sFXTX+qdMdJHqRXcJPVWK6FUgDRi88VhgBFRnsbUNxi/WgGIiovP ylY+bee/a8gvpcnN14SpOHWjMa1woOISPu271JSZWUfcb9vK+iVfUW48KXsjVZrd k0FpHPDH46uuFWC7rH1GmFY3QMUgN/+NEBgfA7xr74iSm47DNWlijtGOOHDdFWJ/ kgQvixXKnZ2XoqLCHIPzxZuMeQAK5Rt+30GEc8zfPEuwgoLY7Bqj0sfHBmzQnJOJ iY5V3Bn6JiC3SDaWP5Kq0rMoTBv0n5lf+q3ROOAW8eoSyEsJPLI= =It/Y -----END PGP SIGNATURE-----
--- End Message ---
