Here is a patch that should also apply to 4.86a. Hope it addresses all
the issues - not quite sure.
2009/5/27 Jan Wagner <w...@cyconet.org>:
> Hi Richard,
>
> On Wednesday 27 May 2009, you wrote:
>> I have been away for a couple of weeks. Secunia gives a silly two
>> weeks to respond to a security advisory which I think is ridiculous.
>>
>> Anyway, these issues are not serious as both involve the usermanager
>> script. To execute this script (or the "exploit") you require the
>> admin password. If you know the admin password you don't need an
>> exploit to delete a user!
>>
>> I will work on a fix and release a new version asap.
>
> thanks for your answer. Could you maybe provide also a (backported) fix for
> 4.86a? A patch against 4.86a would be nice, cause this is the version we have
> in the stable Debian release[1] and it's not possible to upload new versions
> into stable.
>
> I'm on vacation the next 2 weeks beginning next weekend, so could you please
> send fixes/notifications also to 530...@bugs.debian.org, so anybody else can
> probably jump in and fix the bug in Debian.
>
> Thanks in advance. With kind regards, Jan.
> [1] http://security-tracker.debian.net/tracker/binary-package/ipplan
> --
> Never write mail to <w...@spamfalle.info>, you have been warned!
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
> Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
> ------END GEEK CODE BLOCK------
>
--
Richard Ellerbrock
--- admin/usermanager.php 2009-03-19 07:44:03.000000000 +1100
+++ ../../../iptrackdev/ipplan/admin/usermanager.php 2009-05-30 16:34:08.000000000 +1000
@@ -301,9 +301,13 @@
// First off we insert the user information and delete button.
insert($w, $t=table(array("cols"=>"2","border"=>"0","cellspacing"=>"2","width"=>"100%")));
insert($t, $c=cell());
- insert($c ,block("<b>".my_("Editing User: $userid")."</b><br>"));
- insert($c, block("<i>".my_("Real Name: ").$row["userdescrip"]."</i><br>"));
- insert($c, block(my_("e-mail: ").$row["useremail"]));
+ insert($c ,block("<b>"));
+ insert($c ,text(my_("Editing User: $userid")));
+ insert($c ,block("</b><br>"));
+ insert($c, block("<i>"));
+ insert($c, text(my_("Real Name: ").$row["userdescrip"]));
+ insert($c, block("</i><br>"));
+ insert($c, text(my_("e-mail: ").$row["useremail"]));
insert($t, $c=cell(array("align"=>"right")));
insert($c, $f = form(array("method"=>"post","action"=>$_SERVER["PHP_SELF"])));
insert($f,hidden(array("name"=>"action","value"=>"deleteuser")));
@@ -407,8 +411,11 @@
$resaddr =$row["resaddr"];
insert($w, $t=table(array("width"=>"100%","cols"=>"2","border"=>"0","cellspacing"=>"0","valign"=>"middle")));
insert($t, $c = cell());
- insert($c, block("<b>".my_("Editing Group:")." $grp</b><br>"));
- insert($c, block("<i>".my_(" Description: ")."</i>".$grpdescrip));
+ insert($c, block("<b>"));
+ insert($c, text(my_("Editing Group:")." $grp"));
+ insert($c, block("</b><br>"));
+ insert($c, block("<i>".my_(" Description: ")."</i>"));
+ insert($c, text($grpdescrip));
insert($w,generic("br"));
insert($t,$c = cell (array("align"=>"right")));
insert($c, $f = form(array("method"=>"post","action"=>$_SERVER["PHP_SELF"])));
@@ -689,10 +696,10 @@
$password1=$password2=rand(10000, 1000000);
}
- if (strlen($userid) < 2) {
+ if (strlen($userid) < 2 or strlen($userid) > 40) {
$formerror .= my_("The user-id must be longer")."\n";
}
- if (strlen($userdescrip) < 2) {
+ if (strlen($userdescrip) < 2 or strlen($userdescrip) > 80) {
$formerror .= my_("The user description must be longer")."\n";
}
if (strlen($password1) < 5 or strlen($password2) < 5) {
@@ -749,13 +756,13 @@
$grpdescrip=trim($grpdescrip);
$formerror="";
- if (strlen($grp) < 2) {
+ if (strlen($grp) < 2 or strlen($grp) > 40) {
$formerror .= my_("The group name must be longer")."\n";
}
if ($resaddr < 0 or $resaddr > 9999) {
$formerror .= my_("Reserved addresses out of range")."\n";
}
- if (strlen($grpdescrip) < 2) {
+ if (strlen($grpdescrip) < 2 or strlen($grpdescrip) > 80) {
$formerror .= my_("The group description must be longer")."\n";
}
if (ereg("[^[:alnum:]-]", $grp)) {
