113903 – www-apps/gallery 2 possible XSS issue

Bug 113903 - www-apps/gallery 2 possible XSS issue

Summary: www-apps/gallery 2 possible XSS issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/17747/
Whiteboard:	~3? [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-11-29 07:07 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-11-29 22:42 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-29 07:07:02 UTC

Important changes:  
  
diff modules/core/CoreModuleExtras.inc modules/core/CoreModuleExtras.inc  
23c23  
<  * @version $Revision: 1.113.2.1 $ $Date: 2005/10/13 16:47:51 $  
---  
>  * @version $Revision: 1.113.2.2 $ $Date: 2005/11/24 00:46:16 $  
1210a1211,1213  
> 	case '1.0.0.1':  
> 	    /* Security fix in zipcart */  
>   
1379a1383  
> 	case '1.0.0.1':  
diff modules/core/ItemAddFromWeb.inc modules/core/ItemAddFromWeb.inc  
23c23  
<  * @version $Revision: 1.25 $ $Date: 2005/08/23 03:49:02 $  
---  
>  * @version $Revision: 1.25.4.1 $ $Date: 2005/11/24 05:42:57 $  
169a170,173  
>   
> 			/* Avoid XSS by eliminating any HTML from the url */  
> 			$url = str_replace(array('<', '>'), array('&lt;',  
'&gt;'), $url);  
 
diff upgrade/steps/CleanCacheStep.class upgrade/steps/CleanCacheStep.class 
45a46,55 
> 	/* 
> 	 * Delete the install.log file that's left over from 2.0 and 2.0.1 
installs 
> 	 * since it's in a known location and contains potential information 
leaks. 
> 	 */ 
> 	$dataBase = $gallery->getConfig('data.gallery.base'); 
> 	$legacyInstallLogPath = sprintf('%s/install.log', $dataBase); 
> 	if ($platform->file_exists($legacyInstallLogPath)) { 
> 	    $platform->unlink($legacyInstallLogPath); 
> 	} 
>

Comment 1 Don Seiler (RETIRED) gentoo-dev

2005-11-29 10:32:18 UTC

From #gallery:

<mindless> 2.0.2 basically contains: security fix in zipcart to prevent reading
server files, avoid XSS attack if add-from-web is directed to a maliciously
constructed website, obscured name for install.log

Comment 2 Don Seiler (RETIRED) gentoo-dev

2005-11-29 10:34:05 UTC

Sune just an FYI that you pasted the core diffs.  The zipcart issue looks to be
even more serious.  Either way getting 2.0.2 in portage ASAP would be a Good Thing.

Comment 3 Don Seiler (RETIRED) gentoo-dev

2005-11-29 12:05:37 UTC

Perhaps I'm just not intimately familiar with how the security team judges
things, but I think this warrants higher than 'trivial'.  Just my opinion.

Can anyone from web-apps add an ebuild for 2.0.2?  It would just be a copy of 2.0.1.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-29 12:40:44 UTC

Don, somehow I managed to miss pasting some of the diff. 
 
It's rated trivial because version 2 was never stable on any arch.  
  
For details see: http://www.gentoo.org/security/en/vulnerability-policy.xml

Comment 5 Don Seiler (RETIRED) gentoo-dev

2005-11-29 12:45:31 UTC

Ah I didn't realize 2 wasn't stable.  My apologies then.  Definitely should be ;)

Comment 6 Renat Lumpau (RETIRED) gentoo-dev

2005-11-29 17:46:29 UTC

2.0.2 in CVS, enjoy.

rizzo - I assume that's what your urgent ping was about?

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-29 22:42:20 UTC

Thx Renat, Closing without GLSA.