Your message dated Mon, 11 Jan 2016 23:35:02 +0000 with message-id <[email protected]> and subject line Bug#703294: fixed in davical 1.1.4-1 has caused the Debian Bug report #703294, regarding davical: fopen mess in caldav.php to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 703294: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703294 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: davical Version: 1.1.1-1 Severity: grave Tags: security upstream Hi. Tagging this as security relevant and important... as someone might even be able to find a tricky way to use this to read arbitrary files (well at least I can't think of one). Again... marking this as grave to notify the security team... if you agree that this is not critical (due to (a) - see below) than please lower the severity to important - Thanks.) In caldav.php there is the following code in the very beginning: if ( isset($_SERVER['PATH_INFO']) && preg_match( '{^(/favicon.ico|davical.css|(images|js|css)/.+)$}', $_SERVER['PATH_INFO'], $matches ) ) { $filename = $_SERVER['DOCUMENT_ROOT'] . preg_replace('{(\.\.|\\\\)}', '', $matches[1]); $fh = @fopen($matches[1],'r'); if ( ! $fh ) { @header( sprintf("HTTP/1.1 %d %s", 404, 'Not found') ); } else { fpassthru($fh); } @ob_flush(); exit(0); } It seems the intention is to pass through some special files even though I can't think why... this is CalDAV and no one should need icons, css and images. Nevertheless... looking at the code this sounds quite problematic,... and it never could have worked anyway. Let's go through it: >if ( isset($_SERVER['PATH_INFO']) && preg_match( >'{^(/favicon.ico|davical.css|(images|js|css)/.+)$}', $_SERVER['PATH_INFO'], >$matches ) ) { The regexp is already problematic a) "/" is inside the "(...)" so only a "...caldav.php/favicon.ico" could have ever been matched (this is why I say it could have never worked so far). PATH_INFO is AFAIK _always_ prefixed by "/" so the other patterns i.e. "davical.css|(images|js|css)/.+" never matched. b) The pattern contains unescaped "."... so this means "any character" and e.g. also a "faviconXico" would be matched. >$filename = $_SERVER['DOCUMENT_ROOT'] . preg_replace('{(\.\.|\\\\)}', '', >$matches[1]); I strongly doubt this replacement will do away with any evil tricks of escaping an attacker would do to manipulate the paths. c) Actually I think it even makes attacks possible.... (if there wouldn't be the above matching bug (a). There's only one pass of preg_replace... and not so many until nothing changes. Wouldn't (a) be a bug.. then one could probably send an url like "/images/.\\./.\\./.\\./etc/shadow) The pattern wouldn't see th \.\. but it would see and remove the \\\\ thereby creating the filename "whatever/images/../../../etc/shadow". A good way to start an attack. > $fh = @fopen($matches[1],'r'); d) What you probably want is opening $filename. e) Last but not least. The whole think will break anyway, when the user has set PHP's open_basedir... So if the whole code is really needed (in a correct for)... then - the code should handle it when open_basedir is set, and e.g. log it or what ever. - the davical documentation need to be updaded, to inform the users that DOCUMENT_ROOT must be added to open_basedir. My suggestion... if you don't really need this pass throughing... Remove this section alltogether... anything is always likely to be security prone. These kind of redirects to file content should anyway be done by the webserver. Especially when "PATH_INFO URLs" are used... it's quite problematic to serve file content via them... this is not intented... and likely to cause security trouble... even if it's on the webserver end.
--- End Message ---
--- Begin Message ---Source: davical Source-Version: 1.1.4-1 We believe that the bug you reported is fixed in the latest version of davical, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Florian Schlichting <[email protected]> (supplier of updated davical package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 11 Jan 2016 23:56:48 +0100 Source: davical Binary: davical davical-doc Architecture: source all Version: 1.1.4-1 Distribution: unstable Urgency: medium Maintainer: Davical Development Team <[email protected]> Changed-By: Florian Schlichting <[email protected]> Description: davical - PHP CalDAV and CardDAV Server davical-doc - PHP CalDAV and CardDAV Server - technical documentation Closes: 656020 703128 703287 703294 764915 Changes: davical (1.1.4-1) unstable; urgency=medium . * New upstream release (closes: #703128, #703294, #703287, #656020, #764915) * Ship all config examples and user documentation, but remove website references since it was moved to its own git repository. * Don't run make / make built-docs during package build to avoid nasty surprises; files should be up-to-date in git anyway * Purge /etc/davical/.keep directory * Clean source tree before creating orig-source tarball Checksums-Sha1: 9c52a46e8365a91b64cef63b655454338ae5232e 2022 davical_1.1.4-1.dsc 7f25dbbb1276880d002597e79411431c1393c21e 1536744 davical_1.1.4.orig.tar.xz 519886eea9c5213d33cee416f6c4048370ef6ce3 11332 davical_1.1.4-1.debian.tar.xz 7606d1a35af8668fef8872518030987031d43bd6 933434 davical-doc_1.1.4-1_all.deb 9736d0fce89a21d8b33e8074db0f0b46facdde8a 368480 davical_1.1.4-1_all.deb Checksums-Sha256: c92c99dd1670eae20606d3099990830aef65c9241b6fa416891557877bd3ef3a 2022 davical_1.1.4-1.dsc c31a525ffe5e1e43e71d9422baf5eb7c1c1d2e8dc53caaba6005f3abd4a6cde9 1536744 davical_1.1.4.orig.tar.xz fc5a1376fa0472fb11ddc4698ae0cd91b326600680c57d88960ecce5d299c032 11332 davical_1.1.4-1.debian.tar.xz 45a31ce55441a28dd2f78a810a1eeca9622043f45610fb3b9517313d369d928b 933434 davical-doc_1.1.4-1_all.deb 58ae4017b071952a446d76d66fad6a9d61cebf3412b684763de3b0cc9fb16fdb 368480 davical_1.1.4-1_all.deb Files: fe353e2e292d35649406e2ec8f75e177 2022 web extra davical_1.1.4-1.dsc 3cfa8ed47ace2d756e41b6508b02dd18 1536744 web extra davical_1.1.4.orig.tar.xz 81c3e5d83109af35b8234ce58294d59f 11332 web extra davical_1.1.4-1.debian.tar.xz 722be1f488a4efc4688cca22bd1bbb81 933434 doc extra davical-doc_1.1.4-1_all.deb 443f0953057d93c6f8108c728b5c5582 368480 web extra davical_1.1.4-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWlDfEAAoJEBKXO25y3Ae1WxYP/2n9fTbd7qzV2H4C0BN5RUXO BOwRLXQutLVJ15dfX29t4EOMXfNXJGnDUfQWBZJyiAcHhly/5+ZHxaQ9lc4G9dA2 F8wVIUO2IRz8C8yw94SM4qRwI+/uRQ1eB/LWAbnbhX3J+X4mrt71DcjeCOWCI4h8 cuQ8NWE2BKWXBQ3orXQP8WYxpXMgNrdTT/jwluLqsgDvi35tn52lVnYsGLEKuXDj jYZyAVMuFHMwSV/v7u2VIaaZqDOJZGZMHRqDJuEsKji9RAS3X9+8brmTXpcS+j5i MIG3cP5OFuie4SA3QzcU5tvgGjnjsrBv/yJdZGDxMgcij3E/epdEPssocPGckBXj s52lIAbSqU2jQSW2q+W0yiE4OJcI8TzX8ZZAFBzCHc/W5AGOOZGPy8kp5VqPg7Tf KSdPD+RdW1WDK804weOuWpdmuC4NyhE08d/Ylf4OuI+UxZLb5C3Znf38EKvBqmlR qe3LLu/1vmIXsqZWoOfD6gPE6VXNHeKjWenxsClal0/PsGrOqCn25Uo4s4DmiPXk Op5QQIvlTDQw+1dA0CEmbT1DwX/VmMaST5XHGavuG2fecAaDph+zpXuQvnxxh6Jc waUewLYplJ5er6CyOGhFPTASporMnPEGmJ3Px8sDkK2jequeaEYYrPxYfQMyBz7S fI+eoHHP4+3NyMbxvn0O =FKjW -----END PGP SIGNATURE-----
--- End Message ---

