Package: eskuel Version: 1.0.5-3 Severity: critical Tags: security patch Justification: causes serious data loss
It's possible to read any file on the system. File: include/functions.inc.php Vulnerable function: select_lang_config() Vulnerable code: [...] $lang_config_cookie = (isset($HTTP_COOKIE_VARS['ConfLangCookie'])) ? $HTTP_COOKIE_VARS['ConfLangCookie'] : ''; $force_config = (isset($HTTP_POST_VARS['lang_config'])) ? $HTTP_POST_VARS['lang_config'] : ''; if ($force_config != '') { $lang_conf = $force_config; } elseif ($lang_config_cookie != '') { $lang_conf = $lang_config_cookie; } else { $lang_conf = $conf['defaultTxt']; } if ($lang_conf == '') { $lang_conf = 'francais.inc.php'; } ### Getting the good $txt var from the lang res file include './lang/'.$lang_conf; [...] Vulnerability details and exploitation way: It's possible to use the "ConfLangCookie" cookie value or the "lang_config" post value to specify an arbitrary file, that will be included with the "include './lang/'.$lang_conf" istruction. If one of "ConfLangCookie" or "lang_config" value is "../../../../../../../../../../../etc/passwd", it's possible to read the userlist. Simple patch: if ($lang_conf == '') { $lang_conf = 'francais.inc.php'; } + if (strpos("..", $lang_conf) !== FALSE) die("Invalid language file"); ### Getting the good $txt var from the lang res file include './lang/'.$lang_conf; -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) Versions of packages eskuel depends on: ii apache2 2.0.54-2 next generation, scalable, extenda ii apache2-mpm-prefork [apache2 2.0.54-2 traditional model for Apache2 ii php4-cgi 4:4.3.10-13 server-side, HTML-embedded scripti ii php4-mysql 4:4.3.10-13 MySQL module for php4 -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]