Bug#365533: CVE-2006-1896: Admin command execution
On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote: > Problem is that Jeroen announced that he's on a trip through Mexico > now, > so I'm left without someone to upload. Maybe the (testing) security > team > or any other DD interested in getting this bug fixed, can take a look > and upload? > > Please find the updated packages here: > http://www.a-eskwadraat.nl/~kink/phpbb/ Still looking for an uploader here... thanks. Thijs signature.asc Description: This is a digitally signed message part
Bug#365533: CVE-2006-1896: Admin command execution
Package: phpbb2 Severity: grave Tags: security Justification: user security hole CVE-2006-1896: Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the original report does not clarigy whether this issue is static code injection, eval injection, or another type of vulnerability. See http://www.securityfocus.com/archive/1/archive/1/431015/100/0/threaded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: CVE-2006-1896: Admin command execution
On Sun, 2006-04-30 at 21:31 +0200, Stefan Fritsch wrote: > Unspecified vulnerability in phpBB allows remote authenticated users > with Administration Panel access to execute arbitrary PHP code via > crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature > values, possibly involving the highlight functionality. NOTE: the > original report does not clarigy whether this issue is static code > injection, eval injection, or another type of vulnerability. Thanks for the report. While I think that people who are admin can already do a lot of damage and should hence be considered trusted, executing php code is a step further in permissions and thus this can be considered a security issue. I will look into a fix soon. Thijs signature.asc Description: This is a digitally signed message part
Bug#365533: CVE-2006-1896: Admin command execution
tags 365533 patch
thanks
On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> Thanks for the report. While I think that people who are admin can
> already do a lot of damage and should hence be considered trusted,
> executing php code is a step further in permissions and thus this can be
> considered a security issue. I will look into a fix soon.
Patch (untested):
--- phpBB2/viewtopic.php2005-10-31 08:32:37.0 +0100
+++ phpBB2/viewtopic.php2006-05-15 08:25:12.0 +0200
@@ -1105,6 +1105,12 @@
{
// This was shamelessly 'borrowed' from volker at
multiartstudio dot de
// via php.net's annotated manual
+
+ // First, defuse fontcolor3, as it'd otherwise be arbitrary
code execution
+ if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
+ $theme['fontcolor3'] = 'FFA34F';
+ }
+
$message = str_replace('\"', '"',
substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b("
. str_replace('\\', '', addslashes($highlight_match)) . ")\b#i', '1', '\\0')",
'>' . $message . '<'), 1, -1));
}
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: CVE-2006-1896: Admin command execution
On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > Thanks for the report. While I think that people who are admin can
> > already do a lot of damage and should hence be considered trusted,
> > executing php code is a step further in permissions and thus this can be
> > considered a security issue. I will look into a fix soon.
>
> Patch (untested):
>
> --- phpBB2/viewtopic.php 2005-10-31 08:32:37.0 +0100
> +++ phpBB2/viewtopic.php 2006-05-15 08:25:12.0 +0200
> @@ -1105,6 +1105,12 @@
> {
> // This was shamelessly 'borrowed' from volker at
> multiartstudio dot de
> // via php.net's annotated manual
> +
> + // First, defuse fontcolor3, as it'd otherwise be arbitrary
> code execution
> + if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> + $theme['fontcolor3'] = 'FFA34F';
> + }
> +
> $message = str_replace('\"', '"',
> substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> "@preg_replace('#\b(" . str_replace('\\', '',
> addslashes($highlight_match)) . ")\b#i', ' $theme['fontcolor3'] . "\">1', '\\0')", '>' . $message .
> '<'), 1, -1));
> }
>
I've tested this patch on both testing and production boards, and it
works, so it's now committed to the sarge branch. If the security team
agrees that this warrants an advisory, we're all set for that, the only
thing is that Jeroen needs to build some packages out of the current
branch but I think he's quite capable of that :)
Security team: please review the problem at hand and proposed patch. If
ok, then Jeroen will supply you with updated packages a.s.a.p.
W.r.t. unstable, I will look into that very soon, we'll need to be
upgrading to a new upstream aswell. I'll check whether that can be done
in the short term, if not, I'll prepare a patched package.
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: CVE-2006-1896: Admin command execution
Thijs Kinkhorst wrote:
> On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> > On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > > Thanks for the report. While I think that people who are admin can
> > > already do a lot of damage and should hence be considered trusted,
> > > executing php code is a step further in permissions and thus this can be
> > > considered a security issue. I will look into a fix soon.
> >
> > Patch (untested):
> >
> > --- phpBB2/viewtopic.php2005-10-31 08:32:37.0 +0100
> > +++ phpBB2/viewtopic.php2006-05-15 08:25:12.0 +0200
> > @@ -1105,6 +1105,12 @@
> > {
> > // This was shamelessly 'borrowed' from volker at
> > multiartstudio dot de
> > // via php.net's annotated manual
> > +
> > + // First, defuse fontcolor3, as it'd otherwise be arbitrary
> > code execution
> > + if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> > + $theme['fontcolor3'] = 'FFA34F';
> > + }
> > +
> > $message = str_replace('\"', '"',
> > substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> > "@preg_replace('#\b(" . str_replace('\\', '',
> > addslashes($highlight_match)) . ")\b#i', ' > $theme['fontcolor3'] . "\">1', '\\0')", '>' . $message .
> > '<'), 1, -1));
> > }
> >
>
> I've tested this patch on both testing and production boards, and it
> works, so it's now committed to the sarge branch. If the security team
> agrees that this warrants an advisory, we're all set for that,
Given that phpbb issues are frequently actively exploited, we should issue
an update for this.
> the only
> thing is that Jeroen needs to build some packages out of the current
> branch but I think he's quite capable of that :)
> Security team: please review the problem at hand and proposed patch. If
> ok, then Jeroen will supply you with updated packages a.s.a.p.
The patch looks fine, please go ahead.
> W.r.t. unstable, I will look into that very soon, we'll need to be
> upgrading to a new upstream aswell. I'll check whether that can be done
> in the short term, if not, I'll prepare a patched package.
Ok, thanks.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: CVE-2006-1896: Admin command execution
tags 365533 pending thanks On Thu, 2006-05-18 at 05:21 +0200, Moritz Muehlenhoff wrote: > > W.r.t. unstable, I will look into that very soon, we'll need to be > > upgrading to a new upstream aswell. I'll check whether that can be done > > in the short term, if not, I'll prepare a patched package. > > Ok, thanks. Thanks for fixing stable. I've also prepared a fix for sid now. The difference with the previous version in sid is the same patch as for sarge, plus I've added a debconf translation. Problem is that Jeroen announced that he's on a trip through Mexico now, so I'm left without someone to upload. Maybe the (testing) security team or any other DD interested in getting this bug fixed, can take a look and upload? Please find the updated packages here: http://www.a-eskwadraat.nl/~kink/phpbb/ Packages have been tested and work here. thanks, Thijs signature.asc Description: This is a digitally signed message part
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Sun, May 28, 2006 at 11:02:18PM +0200, Thijs Kinkhorst wrote: > On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote: > > Problem is that Jeroen announced that he's on a trip through Mexico > > now, > > so I'm left without someone to upload. Maybe the (testing) security > > team > > or any other DD interested in getting this bug fixed, can take a look > > and upload? > > > > Please find the updated packages here: > > http://www.a-eskwadraat.nl/~kink/phpbb/ > > Still looking for an uploader here... thanks. Uploaded. Steve -- > > > Thijs > ___ > Secure-testing-team mailing list > Secure-testing-team@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team -- Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit signature.asc Description: Digital signature
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote: > Uploaded. Thanks! But... can't find the upload anywhere? Maybe something went wrong or am I looking the wrong way? Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote: > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote: > > Uploaded. > > Thanks! But... can't find the upload anywhere? Maybe something went > wrong or am I looking the wrong way? I got a 'upload removed due to not being signed by gnupg/gpg' mail. So, it looks like something went wrong. Since I have internet again here in Mexico, I'll see whether I can do it tonight (but otoh... so much to do tonight in Mex. City). So Steve (or anyone), if you can sponsor, that's very much appreciated. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote: > On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote: > > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote: > > > Uploaded. > > > > Thanks! But... can't find the upload anywhere? Maybe something went > > wrong or am I looking the wrong way? > > I got a 'upload removed due to not being signed by gnupg/gpg' mail. So, > it looks like something went wrong. Strange. I don't remember noticing an upload error, or a signing error. I've resigned + reuploaded for you. If it works great, if not I guess test that network access ;) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Tue, May 30, 2006 at 06:21:39PM +0100, Steve Kemp wrote: > On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote: > > On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote: > > > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote: > > > > Uploaded. > > > > > > Thanks! But... can't find the upload anywhere? Maybe something went > > > wrong or am I looking the wrong way? > > > > I got a 'upload removed due to not being signed by gnupg/gpg' mail. So, > > it looks like something went wrong. > > Strange. I don't remember noticing an upload error, or a signing > error. > > I've resigned + reuploaded for you. If it works great, if not > I guess test that network access ;) Just ACCEPTED indeed. Must've been a magnetic sunstorm or so. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
