Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 145706 - www-apps/phpgroupware < 0.9.16.011 - sensitive information leak due to input validation error
Summary: www-apps/phpgroupware < 0.9.16.011 - sensitive information leak due to input ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.frsirt.com/english/advisor...
Whiteboard: C4 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-31 05:45 UTC by Jakub Moc (RETIRED)
Modified: 2006-09-03 10:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2006-08-31 05:45:55 UTC 
Not much of an serious issue, requires register_globals turned on. Anyway:


A security vulnerability has been discovered in phpGW < 0.9.16.011. We were not given a heads up before it was published.

The exploit is in the holiday code in calendar. It can only be exploited with register_globals = on and gpc_magic_quotes = off.

The advisory can be found at FrSIRT

There is code which exploits the vulnerability in the wild - see milw0rm.

All users are strongly encouraged to upgrade immediately.

-----

Advisory ID : FrSIRT/ADV-2006-3414
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-08-30

Technical Description

A vulnerability has been identified in phpGroupWare, which could be exploited by remote attackers to gain knowledge of sensitive information. This flaw is due to an input validation error in the "calendar/inc/class.holidaycalc.inc.php" script that does not validate the "phpgw_info[user][preferences][common][country]" parameter, which could be exploited by remote attackers to include or disclose the contents of local files with the privileges of the web server.

Affected Products

phpGroupWare version 0.9.16.010 and prior
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-09-02 01:56:55 UTC 
Bump to 0.9.16.011 required.
Requires register_globals so rather dumb, I will vote noglsa
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-09-02 05:11:07 UTC 
bumped
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-02 06:53:12 UTC 
Thx Renat.

Arhces please test and mark stable.
Comment 4 Michael Weyershäuser 2006-09-02 07:18:51 UTC 
working fine on amd64...

emerge --info
#Portage 2.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-suspend2-r4Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.17-suspend2-r4Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.4
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cairo cdr cli crypt cups dbus dlloader dri dvd dvdr eds emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal imap isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode vorbis xml xorg xv zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux userland_GNU video_cards_radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2006-09-02 09:36:42 UTC 
amd64 stable, thanks dude (did i mention i love that nick? *g*)
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-03 03:17:31 UTC 
ppc stable
Comment 7 Thomas Cort (RETIRED) gentoo-dev 2006-09-03 08:40:25 UTC 
alpha stable.

Also marked 2.8.8 stable on amd64.
Comment 8 Thomas Cort (RETIRED) gentoo-dev 2006-09-03 08:43:02 UTC 
(In reply to comment #7)
> Also marked 2.8.8 stable on amd64.

Sorry, this got posted to the wrong bug. Too many open tabs in firefox. Alpha stable.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-03 10:00:14 UTC 
Thx everyone.

Closing with NO GLSA since this is C4 :-)