Also worth noting that there is a (non-default) configuration setting that restricts the availability of setup.php to only administrators.
I guess I'm listed as 'upstream' for DAViCal as well as being the DD
responsible for the package. Unfortunately I have no time to do either
job for the foreseeable future.
So if people think this sort of thing is actually 'grave' then someone
other than me needs to step forward and apply the (presumably trivial)
fixes that resolve it. I guess that would be to htmlencode the response
from that URL, since making it 'SSL' (as far as I can see) would add
approximately 0.00001% of additional security.
I note that 12 characters is precisely sufficient to contain '<script
src=' and no more.
Cheers,
Andrew.
On Mon, 2013-03-18 at 03:10 +0100, Christoph Anton Mitterer wrote:
> Package: davical
> Version: 1.1.1-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
>
> Hi.
>
> Marking this as grave for now, so that the security team get's notified
> and can have a look whether this is more serious.
> I personally think it's not that serious and the checking security team
> member can likley lower the severity. (thanks)
>
> In Davical's /usr/share/davical/htdocs/setup.php there's code
> that shows one whether the current version is used.
>
> check_davical_version() does about this:
> $url =
> 'http://www.davical.org/current_davical_version?v='.$c->version_string;
> $version_file = @fopen($url, 'r');
> if ( ! $version_file ) return new CheckResult( false, translate("Could not
> retrieve") . " '$url'", 'dep_warning' );
> $current_version = trim(fread( $version_file,12));
> fclose($version_file);
> $result = new CheckResult($c->version_string == $current_version);
> if ( ! $result->getOK() ) {
> if ( $c->version_string > $current_version ) {
> $result->setClass('dep_ok');
> $result->setDescription( sprintf(i18n('Stable: %s, We have: %s !'),
> $current_version, $c->version_string) );
> }
> else {
> $result->setDescription( sprintf(i18n('Want: %s, Currently: %s'),
> $current_version, $c->version_string) );^M
> }
> }
>
>
> 1) The URL is not SSL secure... but even if,... that wouldn't change anything
> IMHO.
>
> 2) An attacker can possibly insert up to 12 characters into $current_version
> which are then not checked for their content.
> That 12 characters are subsequentally sprintf-ed into HTML which is set to
> the user.
>
>
> Well I don't know whether one can do any nasty things in 12 characters... but
> there
> are kinda freaks out there.
>
>
> Workaround for now would be to set:
> http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen
> to On.
>
>
> Cheers,
> Chris.
>
--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64 (2) 7233 2426
Even a hawk is an eagle among crows.
------------------------------------------------------------------------
signature.asc
Description: This is a digitally signed message part
