Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
On Wed, 2011-01-05 at 22:40 +, Dominic Hargreaves wrote: On Sun, Dec 12, 2010 at 06:13:12PM +, Adam D. Barratt wrote: On Fri, 2010-12-10 at 22:33 +, Dominic Hargreaves wrote: I've pushed the diff to git now: http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f [...] DSA and/or SRM, would this be okay to release as either a DSA or update to stable? From a quick look the diff looks okay, but I'd prefer a definitive answer from the security team before we think about a stable update. I've heard nothing from the security team; is this time to think about a stable update instead? Please go ahead. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1294508880.2903.6195.ca...@hathi.jungle.funky-badger.org
Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
On Sun, Dec 12, 2010 at 06:13:12PM +, Adam D. Barratt wrote: On Fri, 2010-12-10 at 22:33 +, Dominic Hargreaves wrote: I've pushed the diff to git now: http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f and built/basic sanity checked the resulting packages. It's quite possibly not complete but in the absence of upstream support for older versions is at least a decent attempt. DSA and/or SRM, would this be okay to release as either a DSA or update to stable? From a quick look the diff looks okay, but I'd prefer a definitive answer from the security team before we think about a stable update. I've heard nothing from the security team; is this time to think about a stable update instead? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110105224047.gk4...@urchin.earth.li
Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
On Fri, 2010-12-10 at 22:33 +, Dominic Hargreaves wrote: I've pushed the diff to git now: http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f and built/basic sanity checked the resulting packages. It's quite possibly not complete but in the absence of upstream support for older versions is at least a decent attempt. DSA and/or SRM, would this be okay to release as either a DSA or update to stable? From a quick look the diff looks okay, but I'd prefer a definitive answer from the security team before we think about a stable update. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1292177592.3595.940.ca...@hathi.jungle.funky-badger.org
Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
On Wed, Dec 08, 2010 at 11:15:24PM +, Dominic Hargreaves wrote: On Wed, Dec 08, 2010 at 07:51:50PM +, Dominic Hargreaves wrote: The changes can be summarised roughly as follows: lib/MT/App/Search.pm| 22 +- Input checking Patch does not apply to 4.2.3-1+lenny1 lib/MT/CMS/Tools.pm |5 - HTML/JS escaping Patch does not apply to 4.2.3-1+lenny1 lib/MT/Template/Context/Search.pm |4 ++-- URI encoding Applies to 4.2.3-1+lenny1 lib/MT/Template/ContextHandlers.pm | 26 -- Input checking, HTML escaping Applied with small adaptation. php/extlib/ezsql/ezsql_postgres.php |2 +- Modifying input checking Applies to 4.2.3-1+lenny1 php/lib/mtdb_base.php | 23 +++ Modifying logic to accommodate escaping Applies to 4.2.3-1+lenny1 php/mt.php |5 +++-- Modifying input checking Applies to 4.2.3-1+lenny1 Although not well documented it's clear that these changes are all security-relevant, so I propose to upload 4.3.5 to unstable and have it migrate to testing. I will go ahead with an upload to unstable this evening unless someone shouts. Still TODO: assess stable. So, at least some of these issues probably apply to stable. I'd appreciate any help validating these changes (I haven't had a chance to build or test yet) and helping determine whether the two fixes which didn't apply at all need adjusting (ie whether the issues exist in 4.23 in a different form). I've attached the results of the above patching. I've pushed the diff to git now: http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f and built/basic sanity checked the resulting packages. It's quite possibly not complete but in the absence of upstream support for older versions is at least a decent attempt. DSA and/or SRM, would this be okay to release as either a DSA or update to stable? Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101210223340.gc2...@urchin.earth.li
Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
Ignoring files that have only changed SVN ID, removed files which
were already ignored by debian/rules (mt-static/support/dashboard/stats)
and changes which only bump the version number, we have the following
changes between MTOS 4.34 and 4.35:
lib/MT/App/Search.pm| 22 +-
lib/MT/CMS/Tools.pm |5 -
lib/MT/Template/Context/Search.pm |4 ++--
lib/MT/Template/ContextHandlers.pm | 26 --
php/extlib/ezsql/ezsql_postgres.php |2 +-
php/lib/mtdb_base.php | 23 +++
php/mt.php |5 +++--
7 files changed, 62 insertions(+), 25 deletions(-)
The vulnerabilities are not described by upstream except that there is
at least one XSS fix and at least one SQL injection fix.
The changes can be summarised roughly as follows:
lib/MT/App/Search.pm| 22 +-
Input checking
lib/MT/CMS/Tools.pm |5 -
HTML/JS escaping
lib/MT/Template/Context/Search.pm |4 ++--
URI encoding
lib/MT/Template/ContextHandlers.pm | 26 --
Input checking, HTML escaping
php/extlib/ezsql/ezsql_postgres.php |2 +-
Modifying input checking
php/lib/mtdb_base.php | 23 +++
Modifying logic to accommodate escaping
php/mt.php |5 +++--
Modifying input checking
Although not well documented it's clear that these changes are all
security-relevant, so I propose to upload 4.3.5 to unstable and have it
migrate to testing. I will go ahead with an upload to unstable this
evening unless someone shouts.
Patch corresponding to above diffstat attached for reference.
Still TODO: assess stable.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff -wurN MTOS-4.34-en//lib/MT/App/Search.pm MTOS-4.35-en//lib/MT/App/Search.pm
--- MTOS-4.34-en//lib/MT/App/Search.pm 2009-12-17 08:45:12.0 +
+++ MTOS-4.35-en//lib/MT/App/Search.pm 2010-11-25 09:04:37.0 +
@@ -670,13 +670,14 @@
$ctx-var('datebased_archive', 1) if ($app-param('archive_type')
( $app-param('archive_type') =~ /Daily/i || $app-param('archive_type') =~ /Weekly/i
|| $app-param('archive_type') =~ /Monthly/i || $app-param('archive_type') =~ /Yearly/i ));
-if ($app-param('author')) {
+if ($app-param('author') $app-param('author') =~ /^[0-9]*$/) {
require MT::Author;
-my $author = MT::Author-load($app-param('author'));
+if ( my $author = MT::Author-load($app-param('author')) ) {
$ctx-stash('author', $author);
$ctx-var('author_archive', 1);
}
-if ($app-param('category')) {
+}
+if ($app-param('category') $app-param('category') =~ /^[0-9]*$/) {
require MT::Category;
my $category = MT::Category-load($app-param('category'));
$ctx-stash('category', $category);
@@ -1004,6 +1005,8 @@
$query =~ s/'//g;
}
+my $can_search_by_id = $query =~ /^[0-9]*$/ ? 1 : 0;
+
my $lucene_struct = Lucene::QueryParser::parse_query($query);
if ( 'PROHIBITED' eq $term-{type} ) {
$_-{type} = 'PROHIBITED' foreach @$lucene_struct;
@@ -1011,7 +1014,11 @@
# search for exact match
my ($terms)
-= $app-_query_parse_core( $lucene_struct, { id = 1, label = 1 }, {} );
+= $app-_query_parse_core( $lucene_struct, {
+( $can_search_by_id ? ( id = 1 ) : () ),
+label = 1
+},
+{} );
return unless $terms @$terms;
push @$terms, '-and',
{
@@ -1039,12 +1046,17 @@
$query =~ s/'//g;
}
+my $can_search_by_id = $query =~ /^[0-9]*$/ ? 1 : 0;
+
my $lucene_struct = Lucene::QueryParser::parse_query($query);
if ( 'PROHIBITED' eq $term-{type} ) {
$_-{type} = 'PROHIBITED' foreach @$lucene_struct;
}
my ($terms)
-= $app-_query_parse_core( $lucene_struct, { id = 1, nickname = 'like' },
+= $app-_query_parse_core( $lucene_struct, {
+( $can_search_by_id ? ( id = 1 ) : () ),
+nickname = 'like',
+},
{} );
return unless $terms @$terms;
push @$terms, '-and', { id = \'= entry_author_id', };
diff -wurN MTOS-4.34-en//lib/MT/CMS/Tools.pm MTOS-4.35-en//lib/MT/CMS/Tools.pm
--- MTOS-4.34-en//lib/MT/CMS/Tools.pm 2009-12-16 22:59:13.0 +
+++ MTOS-4.35-en//lib/MT/CMS/Tools.pm 2010-11-24 06:26:40.0 +
@@ -112,6 +112,9 @@
$param ||= {};
$param-{'email'} = $app-param('email');
$param-{'return_to'} = $app-param('return_to') || $cfg-ReturnToURL || '';
+if ( $param-{recovered} ) {
+$param-{return_to} = MT::Util::encode_js($param-{return_to});
+}
$param-{'can_signin'} = (ref $app eq 'MT::App::CMS') ? 1 : 0;
