Package: davical Version: 1.1.1-1 Severity: grave Tags: security upstream Justification: user security hole
Hi. Marking this as grave for now, so that the security team get's notified and can have a look whether this is more serious. I personally think it's not that serious and the checking security team member can likley lower the severity. (thanks) In Davical's /usr/share/davical/htdocs/setup.php there's code that shows one whether the current version is used. check_davical_version() does about this: $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string; $version_file = @fopen($url, 'r'); if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' ); $current_version = trim(fread( $version_file,12)); fclose($version_file); $result = new CheckResult($c->version_string == $current_version); if ( ! $result->getOK() ) { if ( $c->version_string > $current_version ) { $result->setClass('dep_ok'); $result->setDescription( sprintf(i18n('Stable: %s, We have: %s !'), $current_version, $c->version_string) ); } else { $result->setDescription( sprintf(i18n('Want: %s, Currently: %s'), $current_version, $c->version_string) );^M } } 1) The URL is not SSL secure... but even if,... that wouldn't change anything IMHO. 2) An attacker can possibly insert up to 12 characters into $current_version which are then not checked for their content. That 12 characters are subsequentally sprintf-ed into HTML which is set to the user. Well I don't know whether one can do any nasty things in 12 characters... but there are kinda freaks out there. Workaround for now would be to set: http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen to On. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
