Source: davical Version: 1.1.1-1 Severity: grave Tags: security
Hi. Marking this as important and security, as such ungracefull errors tend to be prone to attacks. When accessing several of the /usr/share/davical/htdocs/*.php files as a non-admin user (that means e.g. HTTP Basic autht or a session-cookie for a non-admin user) are present... some weird and potentially security-relevant errors occur: 1) admin.php -> davical page with the message "No page found to a" 2) setup.php -> user get's the whole setup page... including the ability to see the whole phpinfo() output... which contains all kind of private environment information that might be used by an attacker. Therefore the severity: grave. 3) tools.php XML Parsing Error: no element found Location: https://.../tools.php Line Number 1, Column 1: ^ 4) tz.php <?xml version="1.0" encoding="utf-8" ?> <error xmlns="urn:ietf:params:xml:ns:timezone-service"> <supported-action/>The action "" is not understood. </error> always.php -> OK (redirects to index.php) help.php -> OK index.php -> OK caldav.php -> OK (outside of the scope of admin-pages auth/z system) feed.php -> OK (outside of the scope of admin-pages auth/z system) freebusy.php -> OK (outside of the scope of admin-pages auth/z system) iSchedule.php -> daivcal page with the message "You are not authorised to use this function." public.php -> message "Anonymous users may only access public calendars" upgrade.php -> daivcal page with the message "You are not authorised to use this function." Cheers, Chris. -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.8-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
