Bug#307270: marked as done (eskuel: arbitrary file retreiving)

Tue, 05 Jul 2005 14:53:36 -0700 

Your message dated Tue, 05 Jul 2005 12:32:38 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#307270: fixed in eskuel 1.0.6-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 May 2005 08:54:12 +0000
>From [EMAIL PROTECTED] Mon May 02 01:54:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from host163-161.pool8254.interbusiness.it (paramecio) 
[82.54.161.163] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DSWgu-00057z-00; Mon, 02 May 2005 01:54:12 -0700
Received: by paramecio (Postfix, from userid 1000)
        id 758E9270075; Sun,  1 May 2005 22:32:53 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Gerardo Di Giacomo <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: eskuel: arbitrary file retreiving
X-Mailer: reportbug 3.11
Date: Sun, 01 May 2005 22:32:53 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,DATE_IN_PAST_12_24,
        HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: eskuel
Version: 1.0.5-3
Severity: critical
Tags: security patch
Justification: causes serious data loss

It's possible to read any file on the system.
File: include/functions.inc.php
Vulnerable function: select_lang_config()
Vulnerable code:

[...]
$lang_config_cookie = (isset($HTTP_COOKIE_VARS['ConfLangCookie'])) ?  
$HTTP_COOKIE_VARS['ConfLangCookie'] : '';
$force_config           = (isset($HTTP_POST_VARS['lang_config'])) ?  
$HTTP_POST_VARS['lang_config'] : '';

if ($force_config != '') {
        $lang_conf = $force_config;
}
elseif
($lang_config_cookie != '') {
        $lang_conf = $lang_config_cookie; }
else
{
        $lang_conf = $conf['defaultTxt'];
}
if
($lang_conf == '') {
        $lang_conf = 'francais.inc.php';
}
### Getting the good $txt var from the lang res file
include './lang/'.$lang_conf;
[...]

Vulnerability details and exploitation way:
It's possible to use the "ConfLangCookie" cookie value or the "lang_config" 
post value to specify an arbitrary file, that will be included with the 
"include './lang/'.$lang_conf" istruction.
If one of "ConfLangCookie" or "lang_config" value is 
"../../../../../../../../../../../etc/passwd", it's possible to read the 
userlist.


Simple patch:

if
($lang_conf == '') {
        $lang_conf = 'francais.inc.php';
}
+ if (strpos("..", $lang_conf) !== FALSE) die("Invalid language file");
### Getting the good $txt var from the lang res file
include './lang/'.$lang_conf;



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)

Versions of packages eskuel depends on:
ii  apache2                      2.0.54-2    next generation, scalable, extenda
ii  apache2-mpm-prefork [apache2 2.0.54-2    traditional model for Apache2
ii  php4-cgi                     4:4.3.10-13 server-side, HTML-embedded scripti
ii  php4-mysql                   4:4.3.10-13 MySQL module for php4

-- no debconf information

---------------------------------------
Received: (at 307270-close) by bugs.debian.org; 5 Jul 2005 16:39:03 +0000
>From [EMAIL PROTECTED] Tue Jul 05 09:39:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DpqRr-0007KJ-00; Tue, 05 Jul 2005 09:39:03 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DpqLe-0007LH-00; Tue, 05 Jul 2005 12:32:38 -0400
From: Amaya Rodrigo Sastre <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#307270: fixed in eskuel 1.0.6-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 05 Jul 2005 12:32:38 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: eskuel
Source-Version: 1.0.6-1

We believe that the bug you reported is fixed in the latest version of
eskuel, which is due to be installed in the Debian FTP archive:

eskuel_1.0.6-1.diff.gz
  to pool/main/e/eskuel/eskuel_1.0.6-1.diff.gz
eskuel_1.0.6-1.dsc
  to pool/main/e/eskuel/eskuel_1.0.6-1.dsc
eskuel_1.0.6-1_all.deb
  to pool/main/e/eskuel/eskuel_1.0.6-1_all.deb
eskuel_1.0.6.orig.tar.gz
  to pool/main/e/eskuel/eskuel_1.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Amaya Rodrigo Sastre <[EMAIL PROTECTED]> (supplier of updated eskuel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  5 Jul 2005 17:15:23 +0200
Source: eskuel
Binary: eskuel
Architecture: source all
Version: 1.0.6-1
Distribution: unstable
Urgency: low
Maintainer: Amaya Rodrigo Sastre <[EMAIL PROTECTED]>
Changed-By: Amaya Rodrigo Sastre <[EMAIL PROTECTED]>
Description: 
 eskuel     - A pretty PHP administration tool for MySQL databases
Closes: 307270
Changes: 
 eskuel (1.0.6-1) unstable; urgency=low
 .
   * New upstream release.
   * Maintainer upload that (Closes: #307270).
Files: 
 0523455a23860cb93a102960380a2aa4 565 web optional eskuel_1.0.6-1.dsc
 9f66638a204122d7ecf2081d962bce30 150538 web optional eskuel_1.0.6.orig.tar.gz
 a54796d6b494a5b4f76ab3127e740808 2163 web optional eskuel_1.0.6-1.diff.gz
 352739638c50f5693124b481f4f17c57 149446 web optional eskuel_1.0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCyrCpNFDtUT/MKpARAsOzAKD48GPTiHQX/xZZftniq8qXCn+kmQCePHI2
2CHpthDjCzx2VB/xIFJQmI0=
=5TZw
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to