This is mainly a security release, please read the change log.
Multiple security issues fixed in the translation module which could be exploited by user having admin or translation access to SiteBar. A workaround for version 3.3.8 is to delete the file translator.php, it only used for translation of SiteBar strings into other languages.
CVE-2006-3320 was already fixed in Bug 142597.
I found two issues in the diff of translator.php:
1) Directory traversal via the $lang parameter that allows chmod'ing
arbitrary files 0777.
2) Arbitrary PHP command execution via $value parameter.
Both are only exploitable for authenticated users.
Created attachment 133465 [details, diff]
Security relevant parts of the release.
web-apps, please advise.
According to upstream, this is only exploitable when not running the default configuration:
"Those bugs are exploitable by users having access to translations and
only on installations, where admin granted web server rights to write to
the locales subdirectories (should not be usually the case by default).
The users who have access to translations are limited to members of
Admins and Translators group. Translators group is not created by default."
Yes, this is correct. I've coded a while on sitebar and it would take active user intervention to open these holes. So this does not really affect security.
Anyhow I bumped to 3.3.9 and dropped the stable keyword on ppc.
Maybe ppc could stabilze that version and we can remove 3.3.8 so no user has to wonder if sitebar is safe or not.
(In reply to comment #6)
> Yes, this is correct. I've coded a while on sitebar and it would take active
> user intervention to open these holes. So this does not really affect security.
It still is a privilege escalation when you give people "translation" rights in the system and they can execute code on the server or change files.
There were more issues revealed than the ones mentioned in the release notes and fixed by the patch above. They allow code another way to execute and retrieve files for arbitrary users, and XSS / redirection flaws for unauthenticated users.
thanks, removing insecure versions. webapps done here