Bugzilla Bug 71502

Posted by: jydallstar on 11/11/2004 11:05
Updated by: jydallstar on 11/16/2004 04:25
Expires: 01/01/2009 12:00
Security Patch

A security vulnerability was brought to our attention recently and we have posted a patch to resolve this issue.

Updated: 12-16-2004 @ 4:26 PM

The patch can be downloaded from here:

http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz
md5sum: 1b3153eed4c026289f8744f65e8b922a

This patch should only be applied to versions 0.9.3-2 or greater. All you need to do is untar the file in the base directory of your phpwebsite install.

Thanks to Maestro De-Seguridad for bringing this problem to our attention.

We will discuss the security hole in more detail after people have had a chance to apply the patch.


The phpWebSite Development Team

_______________________________________

http://securitytracker.com/alerts/2004/Nov/1012200.html :

phpWebSite Input Validation Flaws Let Remote Users Conduct HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1012200
SecurityTracker URL:  http://securitytracker.com/id?1012200
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2004
Impact:  Modification of system information, Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.9.3-4
Description:  A vulnerability was reported in phpWebSite. A remote user can conduct HTTP response splitting attacks.

Maestro reported that the 'index.php' script does not properly validate user-supplied input in several parameters. A remote user can submit a specially crafted HTTP POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit POST request is provided:

POST /index.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 218
Connection: Keep-Alive

module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20Ok%0d%0aContent-Length:%2031%0d%0aConte nt-Type:%
site in 0wned</html>&password=foobar
Impact:  A remote user can create a request that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.
Solution:  The vendor has issued the following patch for 0.9.3-2 or greater:

http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz

md5sum: fcefda44a8d691c844593d815479a1ce
Vendor URL:  phpwebsite.appstate.edu/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>

Don, pls provide an updated ebuild

www-apps/phpwebsite-0.9.3_p4-r2 now in portage.  ~ for all arches.

Thanks Don.
Arches, please teset and mark www-apps/phpwebsite-0.9.3_p4-r2 stable

the comments in files/postinstall-en.txt are wrong

cd ${MY_HTDOCSDIR}/phpwebsite/setup
should be
/var/www/localhost/htdocs/phpwebsite/setup

(or something like that)
./secure_setup.sh
should be 
./secure_phpws.sh or something like that

anyways.. appart from that it seems ok...

*prod* is files/postinstall-en.txt getting fixed?

rizzo : please fix postinstall-en.txt (no revision needed, I think)
alpha,ppc : please mark stable whatever version is there, the postinstall-en.txt is not a blocker.

Fixed.  I wasn't sure about the htdocs location with all the webapp-config
stuff, but phpwebsite really handles its own branching anyway, so I've hard
coded the /var/www/localhost location as you specified.

Sorry for delay.

Stable on alpha.

Marked stable on ppc.

Maintainer or x86 should mark www-apps/phpwebsite-0.9.3_p4-r2 stable too.

x86 stable.. sorry for the delay

This calls a vote. I would vote for a GLSA :) phpwebsite is exposed.

I vote for GLSA on this.

Then GLSA there will be

Thanks everyone.

GLSA 200411-35