Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83297 - www-apps/phpwebsite: Image Upload Vulnerability
Summary: www-apps/phpwebsite: Image Upload Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14399/
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-25 06:40 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-03-01 14:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-25 06:40:14 UTC
Description:
nst has reported a vulnerability in phpWebSite, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the uploading of images when submitting an announcement. This can be exploited to upload arbitrary PHP scripts to a directory inside the web root.

The vulnerability has been reported in version 0.10.0 and prior.

Solution:
Edit the source code to ensure that the filenames of uploaded images are properly verified.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:16:10 UTC
From Upstream @ http://phpwebsite.appstate.edu/

"This is a more serious issue than we thought. We recommend you disable your announcement module immediately. We are working on a fix."
Comment 2 Wendall Cada 2005-02-25 08:45:24 UTC
If you are running phpWebSite. Please disable all user uploading of images. Any and all image uploading is vulnerable.

Wendall
Comment 3 Muti 2005-02-25 12:40:32 UTC
An official patch is now available from: http://phpwebsite.appstate.edu/downloads/security/phpws_image_secure_patch.tgz
Comment 4 Don Seiler (RETIRED) gentoo-dev 2005-02-25 13:06:43 UTC
www-apps/phpwebsite-0.10.0-r1 is in portage, stable in x86.  Other arches please mark stable ASAP.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2005-02-26 14:47:25 UTC
So I've been trying to test this out, but each time I setup phpwebsite and attempt to go the main URL, I get nothing in the web browser.

A search of the apache logs shows the following (about 2 errors per 1 request of url);

Allowed memory size of 8388608 bytes exhausted (tried to allocate 0 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 0 bytes)

Some quick googling didn't really show anything useful.  Anyone have any ideas?
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-27 03:32:11 UTC
Stable on alpha.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 00:49:59 UTC
weeve: maybe it's something similar to the problem described here :
http://www.squirrelmail.org/wiki/en_US/LowMemoryProblem

ppc: please test and mark stable ASAP.

Setting to A since it's easily exploitable and victims can be searched with Google.
Comment 8 Don Seiler (RETIRED) gentoo-dev 2005-02-28 07:52:01 UTC
An additional patch was released, and I've added it on www-apps/phpwebsite-0.10.0-r2.  0.10.0-r1 is obsolete, all ARCHes please test -r2.
Comment 9 Wendall Cada 2005-02-28 08:49:52 UTC
Jason,

phpWebSite is kindof a memory hog. This has been resolved for our future 1.0 release. For now, if you run alot of modules, you'll have to bump your memory limit up to say 10M or 12M

Wendall
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:34:00 UTC
rizzo: is the new patch a necessary patch for security, or for stability ?
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-28 13:31:30 UTC
This new patch fixes a different issue... see <http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=922&ANN_user_op=view>

The BugTraq mail they refer to seems to be 
<http://www.securityfocus.com/archive/1/391525/2005-02-25/2005-03-03/0> I believe.
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-28 14:01:38 UTC
Stable on ppc.
Comment 13 Jason Wever (RETIRED) gentoo-dev 2005-02-28 18:52:55 UTC
Somewhere between 12M and 20M was the magic number here.

Stable on SPARC.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 00:54:45 UTC
alpha: please test and mark stable
rizzo: please mark -r2 stable for x86 if you can
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-01 10:13:35 UTC
Stable on alpha.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 10:21:32 UTC
Marked x86-stable by rizzo, ready for GLSA
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 14:00:17 UTC
GLSA 200503-04