Le mercredi 26 mars 2008 à 11:40 +0100, Olivier Berger a écrit : > Having had a closer look at the phpsysinfo integration in phpgroupware > in etch, I'm not so sure it was even a problem, since I cannot exactly > understand how the vulnerable code could have been executed. It is > located in the phpsysinfo footer and I only see ways to have the > standard phpgroupware footer displayed... but I'm not so much aware of > the XSS mechanism involved here. > SNIP
> Maybe I'll get in touch with upstream to try and get a clearer view. > FYI, here's the response from upstream concerning this fix, which indicates that apparently (as I suspected), phpGroupware wasn't vulnerable. Now, for consistency (and better safe than sorry ?), we may apply the patch... but we might also as well close the bug... I'll need security team's advice on what to do, I think. Copy of http://lists.gnu.org/archive/html/phpgroupware-developers/2008-03/msg00076.html bellow : -------- Message transféré -------- De: Dave Hall <[EMAIL PROTECTED]> Répondre à: [EMAIL PROTECTED] À: [EMAIL PROTECTED] Sujet: Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?] Date: Thu, 27 Mar 2008 10:45:26 +0000 Hi Olivier, I thought I would reply publicly here in addition to my email last night my time. On Wed, 2008-03-26 at 12:21 +0100, Olivier Berger wrote: > Hi. > > I'm trying to understand if/how the code in 0.9.16.011 was indeed > vulnerable concerning the phpsysinfo XSS vulnerability... > > Can you please enlighten me (privately, if details are sensitive) ? > > My impression is that the Debian package was after all not vulnerable... > as the phpsysinfo footer shouldn't have been called directly, the > phpsysinfo being wrapped by phpgroupware... Or I have it all wrong on > how the XSS works... or the proposed patch for a fix for Debian was > useless... or... I'm a bit lost ;) After looking into this, we weren't vulnerable in the first place - oh the joys of jumping at shadows when you are under resourced. I looked at the old code - scary stuff. The fix proposed in http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936 should be used for debian (old)stable just to be sure. The 0.9.16.012 release updated phpsysinfo to 2.5.4 from upstream (with some mods), to keep our code in sync. Thanks for picking this up. Just so people are clear CVE-2007-4048 was not exploitable when running phpsysinfo from within phpGroupWare. In 0.9.16.012 you got an updated (and more secure) version of phpsysinfo. > Btw, if there's a security related list, it may be worth being on board > as soon as possible to be able to prepare patchs and so on for the > Debian package... There isn't such a list. What I usually try to grab our packagers to let them know what is happening in advance - by a couple of hours. I am happy to try to provide security only patches on request, or give you a list of svn revision/s to grab. Cheers Dave -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry
signature.asc
Description: Ceci est une partie de message numériquement signée