Your message dated Mon, 11 Jan 2016 23:35:02 +0000
with message-id <[email protected]>
and subject line Bug#703294: fixed in davical 1.1.4-1
has caused the Debian Bug report #703294,
regarding davical: fopen mess in caldav.php
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
703294: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703294
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: davical
Version: 1.1.1-1
Severity: grave
Tags: security upstream


Hi.

Tagging this as security relevant and important... as someone might
even be able to find a tricky way to use this to read arbitrary
files (well at least I can't think of one).
Again... marking this as grave to notify the security team... if you agree
that this is not critical (due to (a) - see below) than please lower the 
severity
to important - Thanks.)

In caldav.php there is the following code in the very beginning:
if ( isset($_SERVER['PATH_INFO']) && preg_match( 
'{^(/favicon.ico|davical.css|(images|js|css)/.+)$}', $_SERVER['PATH_INFO'], 
$matches ) ) {
  $filename = $_SERVER['DOCUMENT_ROOT'] . preg_replace('{(\.\.|\\\\)}', '', 
$matches[1]);
  $fh = @fopen($matches[1],'r');
  if ( ! $fh ) {
    @header( sprintf("HTTP/1.1 %d %s", 404, 'Not found') );
  }
  else {
    fpassthru($fh);
  }
  @ob_flush(); exit(0);
}

It seems the intention is to pass through some special files even though I 
can't think
why... this is CalDAV and no one should need icons, css and images.


Nevertheless... looking at the code this sounds quite problematic,... and it 
never
could have worked anyway.
Let's go through it:

>if ( isset($_SERVER['PATH_INFO']) && preg_match( 
>'{^(/favicon.ico|davical.css|(images|js|css)/.+)$}', $_SERVER['PATH_INFO'], 
>$matches ) ) {
The regexp is already problematic
a) "/" is inside the "(...)" so only a "...caldav.php/favicon.ico" could have 
ever been matched
   (this is why I say it could have never worked so far).
   PATH_INFO is AFAIK _always_ prefixed by "/" so the other patterns i.e. 
   "davical.css|(images|js|css)/.+" never matched.
b) The pattern contains unescaped "."... so this means "any character" and e.g.
   also a "faviconXico" would be matched.

>$filename = $_SERVER['DOCUMENT_ROOT'] . preg_replace('{(\.\.|\\\\)}', '', 
>$matches[1]);
I strongly doubt this replacement will do away with any evil tricks of escaping
an attacker would do to manipulate the paths.
c) Actually I think it even makes attacks possible.... (if there wouldn't be 
the above matching bug (a).
   There's only one pass of preg_replace... and not so many until nothing 
changes.
   Wouldn't (a) be a bug.. then one could probably send an url like
   "/images/.\\./.\\./.\\./etc/shadow)
   The  pattern wouldn't see th \.\. but it would see and remove the \\\\
   thereby creating the filename "whatever/images/../../../etc/shadow".
   A good way to start an attack.

> $fh = @fopen($matches[1],'r');
d) What you probably want is opening $filename.


e) Last but not least.
The whole think will break anyway, when the user has set PHP's
open_basedir...
So if the whole code is really needed (in a correct for)...
then
- the code should handle it when open_basedir is set, and e.g.
log it or what ever.
- the davical documentation need to be updaded, to inform the users
  that DOCUMENT_ROOT must be added to open_basedir.



My suggestion... if you don't really need this pass throughing...
Remove this section alltogether... anything is always likely to be security 
prone.

These kind of redirects to file content should anyway be done by the webserver.
Especially when "PATH_INFO URLs" are used... it's quite problematic to serve
file content via them... this is not intented... and likely to cause security 
trouble...
even if it's on the webserver end.

--- End Message ---
--- Begin Message ---
Source: davical
Source-Version: 1.1.4-1

We believe that the bug you reported is fixed in the latest version of
davical, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <[email protected]> (supplier of updated davical package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 11 Jan 2016 23:56:48 +0100
Source: davical
Binary: davical davical-doc
Architecture: source all
Version: 1.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Davical Development Team <[email protected]>
Changed-By: Florian Schlichting <[email protected]>
Description:
 davical    - PHP CalDAV and CardDAV Server
 davical-doc - PHP CalDAV and CardDAV Server - technical documentation
Closes: 656020 703128 703287 703294 764915
Changes:
 davical (1.1.4-1) unstable; urgency=medium
 .
   * New upstream release (closes: #703128, #703294, #703287, #656020, #764915)
   * Ship all config examples and user documentation, but remove website
     references since it was moved to its own git repository.
   * Don't run make / make built-docs during package build to avoid nasty
     surprises; files should be up-to-date in git anyway
   * Purge /etc/davical/.keep directory
   * Clean source tree before creating orig-source tarball
Checksums-Sha1:
 9c52a46e8365a91b64cef63b655454338ae5232e 2022 davical_1.1.4-1.dsc
 7f25dbbb1276880d002597e79411431c1393c21e 1536744 davical_1.1.4.orig.tar.xz
 519886eea9c5213d33cee416f6c4048370ef6ce3 11332 davical_1.1.4-1.debian.tar.xz
 7606d1a35af8668fef8872518030987031d43bd6 933434 davical-doc_1.1.4-1_all.deb
 9736d0fce89a21d8b33e8074db0f0b46facdde8a 368480 davical_1.1.4-1_all.deb
Checksums-Sha256:
 c92c99dd1670eae20606d3099990830aef65c9241b6fa416891557877bd3ef3a 2022 
davical_1.1.4-1.dsc
 c31a525ffe5e1e43e71d9422baf5eb7c1c1d2e8dc53caaba6005f3abd4a6cde9 1536744 
davical_1.1.4.orig.tar.xz
 fc5a1376fa0472fb11ddc4698ae0cd91b326600680c57d88960ecce5d299c032 11332 
davical_1.1.4-1.debian.tar.xz
 45a31ce55441a28dd2f78a810a1eeca9622043f45610fb3b9517313d369d928b 933434 
davical-doc_1.1.4-1_all.deb
 58ae4017b071952a446d76d66fad6a9d61cebf3412b684763de3b0cc9fb16fdb 368480 
davical_1.1.4-1_all.deb
Files:
 fe353e2e292d35649406e2ec8f75e177 2022 web extra davical_1.1.4-1.dsc
 3cfa8ed47ace2d756e41b6508b02dd18 1536744 web extra davical_1.1.4.orig.tar.xz
 81c3e5d83109af35b8234ce58294d59f 11332 web extra davical_1.1.4-1.debian.tar.xz
 722be1f488a4efc4688cca22bd1bbb81 933434 doc extra davical-doc_1.1.4-1_all.deb
 443f0953057d93c6f8108c728b5c5582 368480 web extra davical_1.1.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWlDfEAAoJEBKXO25y3Ae1WxYP/2n9fTbd7qzV2H4C0BN5RUXO
BOwRLXQutLVJ15dfX29t4EOMXfNXJGnDUfQWBZJyiAcHhly/5+ZHxaQ9lc4G9dA2
F8wVIUO2IRz8C8yw94SM4qRwI+/uRQ1eB/LWAbnbhX3J+X4mrt71DcjeCOWCI4h8
cuQ8NWE2BKWXBQ3orXQP8WYxpXMgNrdTT/jwluLqsgDvi35tn52lVnYsGLEKuXDj
jYZyAVMuFHMwSV/v7u2VIaaZqDOJZGZMHRqDJuEsKji9RAS3X9+8brmTXpcS+j5i
MIG3cP5OFuie4SA3QzcU5tvgGjnjsrBv/yJdZGDxMgcij3E/epdEPssocPGckBXj
s52lIAbSqU2jQSW2q+W0yiE4OJcI8TzX8ZZAFBzCHc/W5AGOOZGPy8kp5VqPg7Tf
KSdPD+RdW1WDK804weOuWpdmuC4NyhE08d/Ylf4OuI+UxZLb5C3Znf38EKvBqmlR
qe3LLu/1vmIXsqZWoOfD6gPE6VXNHeKjWenxsClal0/PsGrOqCn25Uo4s4DmiPXk
Op5QQIvlTDQw+1dA0CEmbT1DwX/VmMaST5XHGavuG2fecAaDph+zpXuQvnxxh6Jc
waUewLYplJ5er6CyOGhFPTASporMnPEGmJ3Px8sDkK2jequeaEYYrPxYfQMyBz7S
fI+eoHHP4+3NyMbxvn0O
=FKjW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to