Posted by: jydallstar on 11/11/2004 11:05 Updated by: jydallstar on 11/16/2004 04:25 Expires: 01/01/2009 12:00 Security Patch A security vulnerability was brought to our attention recently and we have posted a patch to resolve this issue. Updated: 12-16-2004 @ 4:26 PM The patch can be downloaded from here: http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz md5sum: 1b3153eed4c026289f8744f65e8b922a This patch should only be applied to versions 0.9.3-2 or greater. All you need to do is untar the file in the base directory of your phpwebsite install. Thanks to Maestro De-Seguridad for bringing this problem to our attention. We will discuss the security hole in more detail after people have had a chance to apply the patch. The phpWebSite Development Team _______________________________________ http://securitytracker.com/alerts/2004/Nov/1012200.html : phpWebSite Input Validation Flaws Let Remote Users Conduct HTTP Response Splitting Attacks SecurityTracker Alert ID: 1012200 SecurityTracker URL: http://securitytracker.com/id?1012200 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Nov 12 2004 Impact: Modification of system information, Modification of user information Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes Version(s): 0.9.3-4 Description: A vulnerability was reported in phpWebSite. A remote user can conduct HTTP response splitting attacks. Maestro reported that the 'index.php' script does not properly validate user-supplied input in several parameters. A remote user can submit a specially crafted HTTP POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks. A demonstration exploit POST request is provided: POST /index.php HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-length: 218 Connection: Keep-Alive module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20Ok%0d%0aContent-Length:%2031%0d%0aConte nt-Type:% site in 0wned</html>&password=foobar Impact: A remote user can create a request that, when loaded by the target user, will cause arbitrary content to be displayed. A remote user may be able to poison any intermediate web caches with arbitrary content. Solution: The vendor has issued the following patch for 0.9.3-2 or greater: http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz md5sum: fcefda44a8d691c844593d815479a1ce Vendor URL: phpwebsite.appstate.edu/ (Links to External Site) Cause: Input validation error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Reported By: "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>
Don, pls provide an updated ebuild
www-apps/phpwebsite-0.9.3_p4-r2 now in portage. ~ for all arches.
Thanks Don. Arches, please teset and mark www-apps/phpwebsite-0.9.3_p4-r2 stable
the comments in files/postinstall-en.txt are wrong cd ${MY_HTDOCSDIR}/phpwebsite/setup should be /var/www/localhost/htdocs/phpwebsite/setup (or something like that) ./secure_setup.sh should be ./secure_phpws.sh or something like that anyways.. appart from that it seems ok...
*prod* is files/postinstall-en.txt getting fixed?
rizzo : please fix postinstall-en.txt (no revision needed, I think) alpha,ppc : please mark stable whatever version is there, the postinstall-en.txt is not a blocker.
Fixed. I wasn't sure about the htdocs location with all the webapp-config stuff, but phpwebsite really handles its own branching anyway, so I've hard coded the /var/www/localhost location as you specified. Sorry for delay.
Stable on alpha.
Marked stable on ppc.
Maintainer or x86 should mark www-apps/phpwebsite-0.9.3_p4-r2 stable too.
x86 stable.. sorry for the delay
This calls a vote. I would vote for a GLSA :) phpwebsite is exposed.
I vote for GLSA on this.
Then GLSA there will be
Thanks everyone. GLSA 200411-35