TITLE: SWORD diatheke.pl Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA13897 VERIFY ADVISORY: http://secunia.com/advisories/13897/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SWORD 1.x http://secunia.com/product/4548/ DESCRIPTION: Ulf H?rnhammar has reported a vulnerability in SWORD, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an input validation error in diatheke.pl. This can be exploited to inject arbitrary shell commands via a specially crafted URL. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Ulf H?rnhammar ORIGINAL ADVISORY: http://www.debian.org/security/2005/dsa-650
Created attachment 49105 [details, diff] sword-1.5.8-diatheke.patch patch ported from debians 1.5.3 patch.
We are quite a few versions ahead of debians on this one.. but it looks like our code is still vulnerable. squinky86, please verify/apply.
solar/vapier: we could try applying this patch ourselves, as squinky isn't answering.
Gentoo doesnt include the diatheke.pl script in the package, so I dont think we are vulnerable to this bug. Incidentally, in debian's patch it looks like $range is never escaped, so this could still be exploited by searching for the range ";command;" or similar :)
taviso: good catch. I verified that the patch applied and not that we didn't ship the diatheke.pl CGI. Note that Debian doesn't ship a version that includes the "range" operator so they are in fact unaffected by that remaining vulnerability.