Bug#703290: davical: possible code insertion or XSS

Mon, 18 Mar 2013 11:51:28 -0700 

tags 703290 + patch
stop

Attached is a little patch for point (2) based on Andres idea, it uses
htmlentities() to masquerade any evil stuff.

a) Can someone check whether this is enough? (Guess so).
If someone NMUs, please don't close this bug though, just lower the
severity, as I currently abuse the BTS as an upstream tracker...
So once Andrew has time to work on Davical again, we remember to merge
these patches there, too :-)


b) It doesn't fix (1) strictly speaking...
The idea of this whole function is that a sysadmin can see whether he is
up to date or possibly misses any security updates/new functionality...
While, with the attached patch, an attacker cannot longer (at least try)
to do XSS or such things... he still can trick a user into believing
that he is at the current version, thereby possibly missing security
updates (kinda "downgrade attack").

In distros this is obviously not a problem because they take care of
this.
A solution would be the aforementioned https (but that gives the
certificates problem)... or a HMAC based solution.
Anyway... this is less important.


Cheers,
Chris.

Index: davical/htdocs/setup.php
===================================================================
--- davical.orig/htdocs/setup.php	2013-03-18 17:43:19.442752281 +0100
+++ davical/htdocs/setup.php	2013-03-18 19:40:08.501822923 +0100
@@ -252,7 +252,7 @@
   $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
   $version_file = @fopen($url, 'r');
   if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
   fclose($version_file);
   $result = new CheckResult($c->version_string == $current_version);
   if ( ! $result->getOK() ) {
@@ -261,7 +261,7 @@
       $result->setDescription( sprintf(i18n('Stable: %s, We have: %s !'), $current_version, $c->version_string) );
     }
     else {
-      $result->setDescription( sprintf(i18n('Want: %s, Currently: %s'), $current_version, $c->version_string) );
+      $result->setDescription( sprintf(i18n('Want: %s, Currently: %s'), $current_version, $c->version_string) );
     }
   }
   return $result;

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to