phpwebsite includes an affected XMLRPC PHP library and should be patched.
Ccing stuart. Feel free to open this bug as soon as you think it's public enough.
Sent an email upstream to make sure they know about it.
Created attachment 62617 [details, diff] phpwebsite.patch Backported patch from PEAR lib fix
web-apps: please bump with patch... and test a little (I didn't)
Also from : http://phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=989 Diabolic Crab, an independent security researcher at Hackers Center has revealed some security weaknesses in phpWebSite. Mr. Crab was kind enough to contact us before these holes become public knowledge. Please download the security patch and untar it in your phpWebSite version 0.10.1 installation directory. http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz md5sum : 7e22916bbac8c27677a65eb31b71ebe3 Posted on phpwebsite.appstate.edu. More details about the exploit will be released soon. ___________________________________________________________ Note: they didn't patch the XML-RPC thing in that patch ?!? So we have to apply both patches to fix them...
*** Bug 98040 has been marked as a duplicate of this bug. ***
It's in CVS, with tarball and patch. I'm unable to test it so I won't be marking x86 stable. CC'd archs please stable.
I can do one better - version bump to 0.10.1, with both patches
Arches please mark stable whatever is more appropriate to you. In doubt, do 0.10.1.
Stable on ppc.
The 0.10.1 ebuild is broken because it tries to call epatch on a file that doesn't exit; >>> Unpacking source... >>> Unpacking phpwebsite-0.10.1-full.tar.gz to /var/tmp/portage/phpwebsite-0.10.1/work >>> Unpacking phpwebsite_security_patch_20050705.2.tgz to /var/tmp/portage/phpwebsite-0.10.1/work/phpwebsite-0.10.1-full * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /usr/gentoo-x86/www-apps/phpwebsite/files/phpwebsite-0.10.1-xml-rpc.diff * ( phpwebsite-0.10.1-xml-rpc.diff ) !!! ERROR: www-apps/phpwebsite-0.10.1 failed. !!! Function epatch, Line 219, Exitcode 0 !!! Cannot find $EPATCH_SOURCE! !!! If you need support, post the topmost build error, NOT this status message.
My apologies. Fixed in CVS
Arches: please mark stable so that the GLSA on this exploited vuln can go out.
There was a bug in Security.php, please wait for a fix. Wendall
Ok, it is a one liner fix. The regex was removing spaces from valid url characters by mistake. Line 113 in Security.php should read: preg_match('/%(0|1)(\d|[a-f])/i', $_SERVER['REQUEST_URI'])) { Matt McNaney from ASU will be posting the updated patch on http://phpwebsite.appstate.edu shortly. Wendall
xmlrpc libs are updated with phpwebsite project. It can be noted that none of the xml_rpc functions are currently in use with phpWebSite. Wendall
back to ebuild status
Updated July 7!: The patch has been updated, please download the new file. Please update ebuild accordingly.
I will try to be more specific when I make comments. I am a phpWebSite developer. I thought I was clear that there was a change in the patch on 7/7. Was this not clear, or is it just being repeated for clarity for someone else? Wendall
Yes, it was repeated (to the ebuild maintainer) for clarity. You said "will be posting"...
updated patch URL and rev-bumped to 0.10.1-r1 Wendall - the second URL on the announcement page is broken.
Arches, you know the deal - please test and mark 0.10.1-r1 stable. Thanks!
stable on x86
Stable on SPARC. Please note that the postinstall instructions lack anything to do with upgrades, and that info needs to be read out of the upstream provided upgrade file.
Stable on alpha.
Ready for GLSA
GLSA 200507-07 thanks everyone