Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73021 - www-apps/phprojekt: critical error in setup.php allows to upload and start arbitrary scripts
Summary: www-apps/phprojekt: critical error in setup.php allows to upload and start ar...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-01 05:24 UTC by Carsten Lohrke (RETIRED)
Modified: 2004-12-13 00:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-01 05:38:53 UTC 
web-apps pls provide an updated ebuild

rating this B1 for now, if it really allows to upload and execute scripts with the rights of the user running the webserver
carlo, web-apps, can you confirm that?
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-01 06:12:46 UTC 
According to http://www.heise.de/security/news/meldung/53813 (German), this allows to upload and run any PHP-script with the standard test account. Furthermore it's said to be able to get the database password even without making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin M
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-01 06:12:46 UTC 
According to http://www.heise.de/security/news/meldung/53813 (German), this allows to upload and run any PHP-script with the standard test account. Furthermore it's said to be able to get the database password even without making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin Münch of it.sec), are linking to the article mentioned above.
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2004-12-01 06:16:10 UTC 
Um, I wasn't 100% correct. I read here http://www.heise.de/newsticker/meldung/53813 about it. It's said, that it's possible to load and start arbitrary php-scripts via the test account and to obtain the db password w/o any account. I guess that the latter is possible locally only, but I won't install and test phprojekt. The information from the phprojekt guys isn't very helpful, too.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-07 04:54:58 UTC 
According to the phprojekt website this seems to allow unauthorized changes to the configuration, which, according to heise, could then allow uploading and execution of scripts using the default test account.

The tarball on their site seems to have the updated setup.php included already, our distfile mirrors are spreading the vulnerable version.

http://securitytracker.com/alerts/2004/Dec/1012369.html
http://secunia.com/advisories/13355/
_______

web-apps, pls verify and provide a fixed ebuild asap
This bug has been opened nearly a week ago.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-12-07 05:47:14 UTC 
phprojekt-4.2-r1 is now in the tree.  Sorry for the delay.

Best regards
Stu
Comment 7 Luke Macken (RETIRED) gentoo-dev 2004-12-07 07:04:37 UTC 
archs, please mark phprojekt-4.2-r1 stable.
Comment 8 Jochen Maes (RETIRED) gentoo-dev 2004-12-08 00:34:49 UTC 
stable on ppc
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2004-12-08 12:17:55 UTC 
x86 stable
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-12-10 14:33:57 UTC 
GLSA sent, but lists are slow as hell, I didn't even received the gentoo-announce feedback... Probably will commit the mail tomorrow so please be patient.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-13 00:39:46 UTC 
Reposted... now it works.
GLSA 200412-06