Your message dated Tue, 05 Jul 2005 12:32:38 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#307270: fixed in eskuel 1.0.6-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 2 May 2005 08:54:12 +0000 >From [EMAIL PROTECTED] Mon May 02 01:54:12 2005 Return-path: <[EMAIL PROTECTED]> Received: from host163-161.pool8254.interbusiness.it (paramecio) [82.54.161.163] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DSWgu-00057z-00; Mon, 02 May 2005 01:54:12 -0700 Received: by paramecio (Postfix, from userid 1000) id 758E9270075; Sun, 1 May 2005 22:32:53 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Gerardo Di Giacomo <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: eskuel: arbitrary file retreiving X-Mailer: reportbug 3.11 Date: Sun, 01 May 2005 22:32:53 +0200 Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,DATE_IN_PAST_12_24, HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: eskuel Version: 1.0.5-3 Severity: critical Tags: security patch Justification: causes serious data loss It's possible to read any file on the system. File: include/functions.inc.php Vulnerable function: select_lang_config() Vulnerable code: [...] $lang_config_cookie = (isset($HTTP_COOKIE_VARS['ConfLangCookie'])) ? $HTTP_COOKIE_VARS['ConfLangCookie'] : ''; $force_config = (isset($HTTP_POST_VARS['lang_config'])) ? $HTTP_POST_VARS['lang_config'] : ''; if ($force_config != '') { $lang_conf = $force_config; } elseif ($lang_config_cookie != '') { $lang_conf = $lang_config_cookie; } else { $lang_conf = $conf['defaultTxt']; } if ($lang_conf == '') { $lang_conf = 'francais.inc.php'; } ### Getting the good $txt var from the lang res file include './lang/'.$lang_conf; [...] Vulnerability details and exploitation way: It's possible to use the "ConfLangCookie" cookie value or the "lang_config" post value to specify an arbitrary file, that will be included with the "include './lang/'.$lang_conf" istruction. If one of "ConfLangCookie" or "lang_config" value is "../../../../../../../../../../../etc/passwd", it's possible to read the userlist. Simple patch: if ($lang_conf == '') { $lang_conf = 'francais.inc.php'; } + if (strpos("..", $lang_conf) !== FALSE) die("Invalid language file"); ### Getting the good $txt var from the lang res file include './lang/'.$lang_conf; -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) Versions of packages eskuel depends on: ii apache2 2.0.54-2 next generation, scalable, extenda ii apache2-mpm-prefork [apache2 2.0.54-2 traditional model for Apache2 ii php4-cgi 4:4.3.10-13 server-side, HTML-embedded scripti ii php4-mysql 4:4.3.10-13 MySQL module for php4 -- no debconf information --------------------------------------- Received: (at 307270-close) by bugs.debian.org; 5 Jul 2005 16:39:03 +0000 >From [EMAIL PROTECTED] Tue Jul 05 09:39:03 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DpqRr-0007KJ-00; Tue, 05 Jul 2005 09:39:03 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DpqLe-0007LH-00; Tue, 05 Jul 2005 12:32:38 -0400 From: Amaya Rodrigo Sastre <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#307270: fixed in eskuel 1.0.6-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Tue, 05 Jul 2005 12:32:38 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: eskuel Source-Version: 1.0.6-1 We believe that the bug you reported is fixed in the latest version of eskuel, which is due to be installed in the Debian FTP archive: eskuel_1.0.6-1.diff.gz to pool/main/e/eskuel/eskuel_1.0.6-1.diff.gz eskuel_1.0.6-1.dsc to pool/main/e/eskuel/eskuel_1.0.6-1.dsc eskuel_1.0.6-1_all.deb to pool/main/e/eskuel/eskuel_1.0.6-1_all.deb eskuel_1.0.6.orig.tar.gz to pool/main/e/eskuel/eskuel_1.0.6.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Amaya Rodrigo Sastre <[EMAIL PROTECTED]> (supplier of updated eskuel package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 5 Jul 2005 17:15:23 +0200 Source: eskuel Binary: eskuel Architecture: source all Version: 1.0.6-1 Distribution: unstable Urgency: low Maintainer: Amaya Rodrigo Sastre <[EMAIL PROTECTED]> Changed-By: Amaya Rodrigo Sastre <[EMAIL PROTECTED]> Description: eskuel - A pretty PHP administration tool for MySQL databases Closes: 307270 Changes: eskuel (1.0.6-1) unstable; urgency=low . * New upstream release. * Maintainer upload that (Closes: #307270). Files: 0523455a23860cb93a102960380a2aa4 565 web optional eskuel_1.0.6-1.dsc 9f66638a204122d7ecf2081d962bce30 150538 web optional eskuel_1.0.6.orig.tar.gz a54796d6b494a5b4f76ab3127e740808 2163 web optional eskuel_1.0.6-1.diff.gz 352739638c50f5693124b481f4f17c57 149446 web optional eskuel_1.0.6-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCyrCpNFDtUT/MKpARAsOzAKD48GPTiHQX/xZZftniq8qXCn+kmQCePHI2 2CHpthDjCzx2VB/xIFJQmI0= =5TZw -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]