Posted by: jydallstar on 11/11/2004 11:05
Updated by: jydallstar on 11/16/2004 04:25
Expires: 01/01/2009 12:00
A security vulnerability was brought to our attention recently and we have posted a patch to resolve this issue.
Updated: 12-16-2004 @ 4:26 PM
The patch can be downloaded from here:
This patch should only be applied to versions 0.9.3-2 or greater. All you need to do is untar the file in the base directory of your phpwebsite install.
Thanks to Maestro De-Seguridad for bringing this problem to our attention.
We will discuss the security hole in more detail after people have had a chance to apply the patch.
The phpWebSite Development Team
phpWebSite Input Validation Flaws Let Remote Users Conduct HTTP Response Splitting Attacks
SecurityTracker Alert ID: 1012200
SecurityTracker URL: http://securitytracker.com/id?1012200
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Nov 12 2004
Impact: Modification of system information, Modification of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Description: A vulnerability was reported in phpWebSite. A remote user can conduct HTTP response splitting attacks.
Maestro reported that the 'index.php' script does not properly validate user-supplied input in several parameters. A remote user can submit a specially crafted HTTP POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.
A demonstration exploit POST request is provided:
POST /index.php HTTP/1.0
site in 0wned</html>&password=foobar
Impact: A remote user can create a request that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user may be able to poison any intermediate web caches with arbitrary content.
Solution: The vendor has issued the following patch for 0.9.3-2 or greater:
Vendor URL: phpwebsite.appstate.edu/ (Links to External Site)
Cause: Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: "Maestro De-Seguridad" <email@example.com>
Don, pls provide an updated ebuild
www-apps/phpwebsite-0.9.3_p4-r2 now in portage. ~ for all arches.
Arches, please teset and mark www-apps/phpwebsite-0.9.3_p4-r2 stable
the comments in files/postinstall-en.txt are wrong
(or something like that)
./secure_phpws.sh or something like that
anyways.. appart from that it seems ok...
*prod* is files/postinstall-en.txt getting fixed?
rizzo : please fix postinstall-en.txt (no revision needed, I think)
alpha,ppc : please mark stable whatever version is there, the postinstall-en.txt is not a blocker.
Fixed. I wasn't sure about the htdocs location with all the webapp-config stuff, but phpwebsite really handles its own branching anyway, so I've hard coded the /var/www/localhost location as you specified.
Sorry for delay.
Stable on alpha.
Marked stable on ppc.
Maintainer or x86 should mark www-apps/phpwebsite-0.9.3_p4-r2 stable too.
x86 stable.. sorry for the delay
This calls a vote. I would vote for a GLSA :) phpwebsite is exposed.
I vote for GLSA on this.
Then GLSA there will be