Summary: | www-apps/phpcollab: SQL / shell command / PHP code injection (CVE-2006-1495, CVE-2008-{4303,4304,4305}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.milw0rm.com/exploits/1617 | ||
Whiteboard: | B1 [masked] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-08-17 23:18:53 UTC
Re-reating as B1 as it indirectly allows for remote code execution. I initially intended to hack up a quick patch, but well, after having a quick look at the code.... This thing should really be removed from the tree, because: * The SQL injection issue is not just present in general/sendpassword.php but almost *EVERYWHERE* * The admin panel allows for PHP code injection as demonstrated in $URL (requires admin privs which you can obtain by exploiting the SQL injection issue) * With register_globals=on it looks like it is possible to inject arbitrary shell code (general/login.php:28 using SSL_CLIENT_CERT) Most of this also assumes magic_quotes_gpc=off. I only had a quick look at the code, so someone should maybe verify this... I'm referring to the 2.4 (even stable on Gentoo/ppc) code base, but 2.5 has the same code and is vulnerable as well. I just verified that the mentioned issues are really exploitable... they are. Found yet another issue which allows for remote code execution. It doesn't depend on register_globals/magic_quotes_gpc either, so the default config should be considered vulnerable (forwarding exact exploit in private). Time for p.mask + removal? :) I'd mask because of the state the code is in. Upstream replied to my mail from tonight and said they'll look into it, but I doubt this can be fixed in a few days... I privately mailed coley to get CVEs and asked upstream about the plans for a fixed version. +# Christian Hoffmann <hoffie@gentoo.org> (26 Aug 2008) +# Masked for security, bug 235052; codebase seems to have lots of problems, +# needs time to fix or final removing, see the referenced bug for progress +www-apps/phpcollab Let's see if upstream is able to provide a fix in the near future, haven't got any new responses (neither from upstream nor from coley). (In reply to comment #7) > Let's see if upstream is able to provide a fix in the near future, haven't got > any new responses (neither from upstream nor from coley). I'm usually not impatient with regards to email response times, but as we are talking about a security issue here and I have neither received a reply from upstream nor from coley, I've resent both mails with a short ping. Yet another months gone (or even more) and still no reply, I wonder what makes our mails (Robert's and mine) not reach Coley... Should we go without CVEs? Or maybe try vendor-sec? bressers gave us CVEs, mail to vendor-sec sent as well. Still no further upstream reaction. Are we going to send a maskglsa soon? I think we should really give out some kind of advisory. request filed, let's add 2008-10-31 to the bug as removal date and get this here over with. Issued last rites. Package will be removed in 30 days. Security, we should really send a GLSA here, shouldn't we? And we are way overdue our timeline... Ebuild removed. webapps done. GLSA 200812-20, sorry for the delay. |