Bug#315671: webcalendar unauthorized access

2005-07-18 Thread Stephen Gran 
Hello all,

There is a security bug in webcalendar (#315671 and
http://www.securityfocus.com/bid/14072, for reference).  Tim is the
maintainer, but does not yet have a debian account, and cannot upload.
We have a fixed version for sarge ready (patch attached).  I am happy to
upload it for Tim, or you could based on the attached patch.  Please let
us know which way you want to handle this.  Tim is copied on this mail,
please keep both of us in the follow ups.

There is as yet no CVE, but the bugtraq ID is 14072.

Thanks,
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -
diff -Nru old/webcalendar-0.9.45/assistant_edit.php 
new/webcalendar-0.9.45/assistant_edit.php
--- old/webcalendar-0.9.45/assistant_edit.php   2004-11-29 05:18:17.0 
-0500
+++ new/webcalendar-0.9.45/assistant_edit.php   2005-07-18 14:37:26.0 
-0400
@@ -1,16 +1,24 @@
 
 
-
+
 \n";
   if ( $is_nonuser_admin ) {
diff -Nru old/webcalendar-0.9.45/debian/changelog 
new/webcalendar-0.9.45/debian/changelog
--- old/webcalendar-0.9.45/debian/changelog 2005-07-18 14:36:10.0 
-0400
+++ new/webcalendar-0.9.45/debian/changelog 2005-07-18 14:37:26.0 
-0400
@@ -1,3 +1,10 @@
+webcalendar (0.9.45-6) unstable; urgency=high
+
+  * Fixed a bug in assistant_edit.php that allows unauthorized access
+(closes: #315671)
+
+ -- Tim Peeler <[EMAIL PROTECTED]>  Mon, 11 Jul 2005 17:56:02 -0400
+
 webcalendar (0.9.45-5) unstable; urgency=low
 
   * Fixed a bug in the postinst that doesn't set permissions of settings.php
diff -Nru old/webcalendar-0.9.45/includes/js/assistant_edit.php 
new/webcalendar-0.9.45/includes/js/assistant_edit.php
--- old/webcalendar-0.9.45/includes/js/assistant_edit.php   2004-07-27 
15:03:10.0 -0400
+++ new/webcalendar-0.9.45/includes/js/assistant_edit.php   2005-07-18 
14:37:26.0 -0400
@@ -3,18 +3,18 @@
 function selectUsers () {
   // find id of user selection object
   var listid = 0;
-  for ( i = 0; i < document.forms[0].elements.length; i++ ) {
-if ( document.forms[0].elements[i].name == "users[]" )
+  for ( i = 0; i < document.assistanteditform.elements.length; i++ ) {
+if ( document.assistanteditform.elements[i].name == "users[]" )
   listid = i;
   }
-  url = "usersel.php?form=editentryform&listid=" + listid + "&users=";
+  url = "usersel.php?form=assistanteditform&listid=" + listid + "&users=";
   // add currently selected users
-  for ( i = 0, j = 0; i < document.forms[0].elements[listid].length; i++ ) {
-if ( document.forms[0].elements[listid].options[i].selected ) {
+  for ( i = 0, j = 0; i < document.assistanteditform.elements[listid].length; 
i++ ) {
+if ( document.assistanteditform.elements[listid].options[i].selected ) {
   if ( j != 0 )
 url += ",";
   j++;
-  url += document.forms[0].elements[listid].options[i].value;
+  url += document.assistanteditform.elements[listid].options[i].value;
 }
   }
   //alert ( "URL: " + url );


signature.asc
Description: Digital signature

Bug#315671: webcalendar unauthorized access

2005-07-18 Thread Martin Schulze 
Stephen Gran wrote:
> Hello all,

Thanks a lot for contacting us.

> There is a security bug in webcalendar (#315671 and
> http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> maintainer, but does not yet have a debian account, and cannot upload.
> We have a fixed version for sarge ready (patch attached).  I am happy to
> upload it for Tim, or you could based on the attached patch.  Please let
> us know which way you want to handle this.  Tim is copied on this mail,
> please keep both of us in the follow ups.
> 
> There is as yet no CVE, but the bugtraq ID is 14072.

I have requested an id.

While we're at it, have you checked this vulnerability as well?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

I'll take care of sarge.

Regards,

Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#315671: webcalendar unauthorized access

2005-07-19 Thread Stephen Gran 
This one time, at band camp, Martin Schulze said:
> Stephen Gran wrote:
> > Hello all,
> 
> Thanks a lot for contacting us.
> 
> > There is a security bug in webcalendar (#315671 and
> > http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> > maintainer, but does not yet have a debian account, and cannot upload.
> > We have a fixed version for sarge ready (patch attached).  I am happy to
> > upload it for Tim, or you could based on the attached patch.  Please let
> > us know which way you want to handle this.  Tim is copied on this mail,
> > please keep both of us in the follow ups.
> > 
> > There is as yet no CVE, but the bugtraq ID is 14072.
> 
> I have requested an id.

Great, thanks.

> While we're at it, have you checked this vulnerability as well?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

I had not seen it before.  We will get you a patch for this as well.

> I'll take care of sarge.

Excellent news.  So we'll try to get you a patch for CAN-2005-0474 later
today if possible, and you'll handle the upload fixing both - does that
work for you?  I guess I'll file a bug about CAN-2005-0474, so it's
easier to track it getting into both sid and etch.

Thanks again,
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Bug#315671: webcalendar unauthorized access

2005-07-19 Thread Stephen Gran 
This one time, at band camp, Martin Schulze said:
> While we're at it, have you checked this vulnerability as well?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

My mistake.  It appears that this is #295960 and #296280 and was fixed
in 0.9.45-3, so it made it to sarge.  So the only issue to fix is the
one we already sent a patch for, and you don't need to wait on anything
from us at this point, am I correct?

Thanks, and we'll get something into sid shortly.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Bug#315671: webcalendar unauthorized access

2005-07-19 Thread Martin Schulze 
Stephen Gran wrote:
> Hello all,
> 
> There is a security bug in webcalendar (#315671 and
> http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> maintainer, but does not yet have a debian account, and cannot upload.
> We have a fixed version for sarge ready (patch attached).  I am happy to
> upload it for Tim, or you could based on the attached patch.  Please let
> us know which way you want to handle this.  Tim is copied on this mail,
> please keep both of us in the follow ups.
> 
> There is as yet no CVE, but the bugtraq ID is 14072.

Just got it:

==
Candidate: CAN-2005-2320
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2320
Reference: BID:14072
Reference: URL:http://www.securityfocus.com/bid/14072

WebCalendar before 1.0.0 does not properly restrict access to
assistant_edit.php, which allows remote attackers to gain privileges.


Regards,

Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]