Hello, I have performed a security audit of ELOG and here is what I found:
1) There are some incorrect handling of *printf() calls and format strings. They lead to ELOG crashing completely, with the potential of executing arbitrary machine code programs, when a user uploads and submits as the first attachment in an entry a file called "%n%n%n%n" - or similar - which must not be empty. The attached patch fixes this in two places and many other format string problems just to be sure. 2) There is a Cross-site Scripting issue when requesting correctly named but non-existant files for downloading, like with this URL: http://localhost:8080/demo/123456_789012/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E The attached patch corrects this by quoting the dangerous characters. 3) There are also Cross-site Scripting issues when creating new entries with New. If a document sends data to ELOG where the fields Type and Category contain invalid entries with HTML code, the resulting error document will print the Type or Category data as-is with no quoting. The attached patch corrects this minor problem as well. I have verified that all three problems exist in Debian unstable, as well as in the upstream ELOG-2.6.2 version. I haven't checked any other versions (but the upstream SVN trunk looks like it also has these bugs). // Ulf Harnhammar, Debian Security Audit Project http://www.debian.org/security/audit/ -- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze
elog.security.patch
Description: Binary data
