Re: Security problem in PHP3+Postgres with Potato?
> > What's the normal way to make a security bug report? > apt-get install bug The 'bug' package is for "normal" bugs. [EMAIL PROTECTED] seems to be the good place to report security problems. Sorry for my previous post. -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Security problem in PHP3+Postgres with Potato?
Hi,
I think I found a security problem in PHP3+postgres+apache shipped with
Potato.
Correct me if I'm wrong, but the following code should support any $var.
If you uncomment the client_encoding line, I'm able to execute any
request I want with the good $var.
%<--
$conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
. " user=" . BASE_USER);
$var="X";
//pg_exec($conn, "SET client_encoding = 'LATIN1'");
$requete = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";
echo $requete;
$query = pg_exec($conn, $requete);
%<--
Tested on Debian GNU/Linux Potato i386, with
apache 1.3.9-14
php3 3.0.18-0
php3-pgsql 3.0.18-0
postgresql 6.5.3-27
What's the normal way to make a security bug report?
--
Benoît Sibaud
R&D Engineer - France Telecom
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security problem in PHP3+Postgres with Potato?
> > What's the normal way to make a security bug report? > apt-get install bug The 'bug' package is for "normal" bugs. [EMAIL PROTECTED] seems to be the good place to report security problems. Sorry for my previous post. -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Security problem in PHP3+Postgres with Potato?
Hi,
I think I found a security problem in PHP3+postgres+apache shipped with
Potato.
Correct me if I'm wrong, but the following code should support any $var.
If you uncomment the client_encoding line, I'm able to execute any
request I want with the good $var.
%<--
$conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
. " user=" . BASE_USER);
$var="X";
//pg_exec($conn, "SET client_encoding = 'LATIN1'");
$requete = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";
echo $requete;
$query = pg_exec($conn, $requete);
%<--
Tested on Debian GNU/Linux Potato i386, with
apache 1.3.9-14
php3 3.0.18-0
php3-pgsql 3.0.18-0
postgresql 6.5.3-27
What's the normal way to make a security bug report?
--
Benoît Sibaud
R&D Engineer - France Telecom
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
> I have checked this and i am running the recommended version > nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose > this mean i don't need to worry about it or is there something else i > should be doing ? There is a bug in nfs-common_0.1.9.1 in Potato ( #111990 Hi, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=111990&archive=yes&repeatmerged=yes ) This bug is NOT related to your problem (nor any security problem, except putting garbage in logcheck mails), but you may be interested. dists/potato/main/binary-sparc/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_sparc.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_sparc.deb You should use nfs-common_0.1.9.1-1.potato1 to avoid this problem. Can somebody explain me why the replacement 0.1.9.1-1 -> 0.1.9.1-1.potato1 is not automatically done be apt ? My /etc/apt/source.list is: deb ftp://LOCAL_MIRROR/pub/debian stable main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-non-US stable/non-US main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-security stable/updates main contrib non-free (LOCAL_MIRROR is one of our boxes mirroring ftp.fr.debian.org and security.debian.org, just for our own needs). -- Benoît Sibaud R&D Engineer - France Telecom
Re: syslog messages
> I have checked this and i am running the recommended version > nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose > this mean i don't need to worry about it or is there something else i > should be doing ? There is a bug in nfs-common_0.1.9.1 in Potato ( #111990 Hi, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=111990&archive=yes&repeatmerged=yes ) This bug is NOT related to your problem (nor any security problem, except putting garbage in logcheck mails), but you may be interested. dists/potato/main/binary-sparc/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_sparc.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_sparc.deb You should use nfs-common_0.1.9.1-1.potato1 to avoid this problem. Can somebody explain me why the replacement 0.1.9.1-1 -> 0.1.9.1-1.potato1 is not automatically done be apt ? My /etc/apt/source.list is: deb ftp://LOCAL_MIRROR/pub/debian stable main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-non-US stable/non-US main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-security stable/updates main contrib non-free (LOCAL_MIRROR is one of our boxes mirroring ftp.fr.debian.org and security.debian.org, just for our own needs). -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: More security for screensavers
Hi, > It's there in Sid already (maybe Woody too -- haven't checked). If In Woody too. > Does anyone know if xscreensaver-demo on Potato have an option like > that? No it hasn't. Disabling the feature on each box would be easier at install, but I respect the maintainer choice. Working in a R&D center, I think it's a security problem, but it's true it isn't for "classic" users. The bug report has been closed by the maintainer. -- Benoît Sibaud R&D Engineer - France Telecom
Re: More security for screensavers
Hi, > It's there in Sid already (maybe Woody too -- haven't checked). If In Woody too. > Does anyone know if xscreensaver-demo on Potato have an option like > that? No it hasn't. Disabling the feature on each box would be easier at install, but I respect the maintainer choice. Working in a R&D center, I think it's a security problem, but it's true it isn't for "classic" users. The bug report has been closed by the maintainer. -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: More security for screensavers
Ted Cabeen wrote: > Good call. The default should probably be set to off. A debconf questio= > n of "low" priority would probably also be a good thing. I opened the #128169 bug report ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=128169 ) "For security reasons, xscreensaver shouldn't be allowed to grab desktop images by default (which is currently the case). Screensavers like Jigsaw or Spotlight can allow bad guys to see what you're doing, even if you lock your screen. Discussed on debian-security, thread beginning here: http://lists.debian.org/debian-security/2002/debian-security-200201/msg00014.html For now, the xscreensaver maintainer disagrees. "I disagree. It is NOT a security issue, it has been discussed the last 3 times it was brought up, and it's easy enough to change if it bothers you. Neither your bug or the discussion you pointed to adds anything to the debate that's been carried on several times before." -- Benoît Sibaud R&D Engineer - France Telecom
Re: More security for screensavers
Ted Cabeen wrote: > Good call. The default should probably be set to off. A debconf questio= > n of "low" priority would probably also be a good thing. I opened the #128169 bug report ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=128169 ) "For security reasons, xscreensaver shouldn't be allowed to grab desktop images by default (which is currently the case). Screensavers like Jigsaw or Spotlight can allow bad guys to see what you're doing, even if you lock your screen. Discussed on debian-security, thread beginning here: http://lists.debian.org/debian-security/2002/debian-security-200201/msg00014.html For now, the xscreensaver maintainer disagrees. "I disagree. It is NOT a security issue, it has been discussed the last 3 times it was brought up, and it's easy enough to change if it bothers you. Neither your bug or the discussion you pointed to adds anything to the debate that's been carried on several times before." -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: More security for screensavers
Hi, > Xscreensaver has options that let you prevent screensavers from grabbing = > > desktop images. If you run xscreensaver-demo, it's in the options tab. = > > =46rom my brief look, none of the xlockmore modes grab the screen. It's correct, but that grabbing desktop images is enable by default and I've never seen a Debconf question about it during installation (I badly wrote my previous post and forgot to precise "at installation level"). Perhaps it should be disabled by default (probably unuseful to add a question for this small point). -- Benoît Sibaud R&D Engineer - France Telecom
Re: More security for screensavers
Hi, > Xscreensaver has options that let you prevent screensavers from grabbing = > > desktop images. If you run xscreensaver-demo, it's in the options tab. = > > =46rom my brief look, none of the xlockmore modes grab the screen. It's correct, but that grabbing desktop images is enable by default and I've never seen a Debconf question about it during installation (I badly wrote my previous post and forgot to precise "at installation level"). Perhaps it should be disabled by default (probably unuseful to add a question for this small point). -- Benoît Sibaud R&D Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
More security for screensavers
Hi, Correct me if I'm wrong, but I didn't see any "security level configuration" for both xscreensaver or xlockmore. What I mean is a way to choose something like a class of screensavers, like 'secure' or 'fun' or both: all screensavers save the screen, but they don't all protect privacy; some screensavers (like Spotlight or Jigsaw for example) don't fully hide the desktop; some others like Bomb (which really disconnect the user at the end of the countdown) are 'dangerous' in a corporate environment. I suppose I should write a bugreport but I wanted to know security team opinion before. Oh, last point: happy new year, best wishes, long life to Debian -- Benoît Sibaud R&D engineer - France Telecom
More security for screensavers
Hi, Correct me if I'm wrong, but I didn't see any "security level configuration" for both xscreensaver or xlockmore. What I mean is a way to choose something like a class of screensavers, like 'secure' or 'fun' or both: all screensavers save the screen, but they don't all protect privacy; some screensavers (like Spotlight or Jigsaw for example) don't fully hide the desktop; some others like Bomb (which really disconnect the user at the end of the countdown) are 'dangerous' in a corporate environment. I suppose I should write a bugreport but I wanted to know security team opinion before. Oh, last point: happy new year, best wishes, long life to Debian -- Benoît Sibaud R&D engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root
Hi, > BTW: I would prefer to keep the main cvs repository local and copy > (rsync ?) it to the foreign sever, if that's possible. Or would this > confuse cvs on the other server? Would I have direct write access to > 'my' files in the (foreign) repository or only over cvs? Hints welcome. (I only know about SF) I don't think you can rsync the SF CVS. You can import your files in, but you don't have a full control on your files: you can't remove directories from your CVS tree, and you can't change file permissions on your files (be careful if you commit script or executable). For both, you'll have to submit a request to SF team. And you don't have ssh access to SF CVS servers AFAIK (only to users server). -- Benoît Sibaud
Re: ssh and root
Hi, > BTW: I would prefer to keep the main cvs repository local and copy > (rsync ?) it to the foreign sever, if that's possible. Or would this > confuse cvs on the other server? Would I have direct write access to > 'my' files in the (foreign) repository or only over cvs? Hints welcome. (I only know about SF) I don't think you can rsync the SF CVS. You can import your files in, but you don't have a full control on your files: you can't remove directories from your CVS tree, and you can't change file permissions on your files (be careful if you commit script or executable). For both, you'll have to submit a request to SF team. And you don't have ssh access to SF CVS servers AFAIK (only to users server). -- Benoît Sibaud -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compiling HostSentry
Hi,
> printf("offset of username:
Wrong copy paste. I don't know how to complete it.
Linux X 2.2.19 #1 Wed May 16 07:41:58 EST 2001 i686 unknown
size of utmp struct: 384
size of ut_type: 2
size of pid_t: 4
offset of tty name: 6
size of tty name: 32
Linux Y 2.2.19 #1 Mon Apr 2 13:29:46 EDT 2001 sparc unknown
size of utmp struct: 384
size of ut_type: 2
size of pid_t: 4
offset of tty name: 6
size of tty name: 32
--
Benoît Sibaud
R&D Engineer - France Telecom
Re: Compiling HostSentry
Hi,
> printf("offset of username:
Wrong copy paste. I don't know how to complete it.
Linux X 2.2.19 #1 Wed May 16 07:41:58 EST 2001 i686 unknown
size of utmp struct: 384
size of ut_type: 2
size of pid_t: 4
offset of tty name: 6
size of tty name: 32
Linux Y 2.2.19 #1 Mon Apr 2 13:29:46 EDT 2001 sparc unknown
size of utmp struct: 384
size of ut_type: 2
size of pid_t: 4
offset of tty name: 6
size of tty name: 32
--
Benoît Sibaud
R&D Engineer - France Telecom
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
