Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195810 - www-apps/sitebar < 3.3.9 - multiple security issues in translator.php (CVE-2007-{5491,5492,5692,5693,5694,5695})
Summary: www-apps/sitebar < 3.3.9 - multiple security issues in translator.php (CVE-20...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
Depends on:
Reported: 2007-10-14 10:01 UTC by Stephane Bonnell
Modified: 2007-11-06 23:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

SiteBar-3.3.8-translator-security.patch (SiteBar-3.3.8-translator-security.patch,2.20 KB, patch)
2007-10-14 19:14 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stephane Bonnell 2007-10-14 10:01:18 UTC
Version bump.
This is mainly a security release, please read the change log.

Reproducible: Always
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-10-14 12:42:35 UTC
Multiple security issues fixed in the translation module which could be exploited by user having admin or translation access to SiteBar. A workaround for version 3.3.8 is to delete the file translator.php, it only used for translation of SiteBar strings into other languages.

CVE-2006-3320 was already fixed in Bug 142597.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-14 19:13:24 UTC
I found two issues in the diff of translator.php:
1) Directory traversal via the $lang parameter that allows chmod'ing
   arbitrary files 0777.
2) Arbitrary PHP command execution via $value parameter.

Both are only exploitable for authenticated users.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-10-14 19:14:26 UTC
Created attachment 133465 [details, diff]

Security relevant parts of the release.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-10-14 19:21:44 UTC
web-apps, please advise.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-15 00:07:26 UTC
According to upstream, this is only exploitable when not running the default configuration:
"Those bugs are exploitable by users having access to translations and 
only on installations, where admin granted web server rights to write to 
the locales subdirectories (should not be usually the case by default). 
The users who have access to translations are limited to members of 
Admins and Translators group. Translators group is not created by default."
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-16 08:12:23 UTC
Yes, this is correct. I've coded a while on sitebar and it would take active user intervention to open these holes. So this does not really affect security.

Anyhow I bumped to 3.3.9 and dropped the stable keyword on ppc.

Maybe ppc could stabilze that version and we can remove 3.3.8 so no user has to wonder if sitebar is safe or not.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-10-16 11:10:27 UTC
(In reply to comment #6)
> Yes, this is correct. I've coded a while on sitebar and it would take active
> user intervention to open these holes. So this does not really affect security.

It still is a privilege escalation when you give people "translation" rights in the system and they can execute code on the server or change files.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-10-18 08:05:19 UTC
There were more issues revealed than the ones mentioned in the release notes and fixed by the patch above. They allow code another way to execute and retrieve files for arbitrary users, and XSS / redirection flaws for unauthenticated users.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-18 17:03:25 UTC
ppc stable
Comment 10 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-18 17:13:56 UTC
thanks, removing insecure versions. webapps done here
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-10-18 19:50:54 UTC
glsa filed.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-06 23:05:39 UTC
GLSA 200711-05