Hello Pierre & security team, While this issue has been addressed in unstable before the holidays, CVE-2005-3334 (multiple xss in flyspray) is still open in sarge. I've taken the liberty to prepare a patch and updated packages.
In short: Taken patch from sid(/upstream), updated it to match the style of the similar checks in that file in 0.9.7 so it's minimally intrusive. Verified that issue is solved. Patch: attached. Packages: http://www.a-eskwadraat.nl/~kink/flyspray/ Possible advistory text: ===== Package : flyspray Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2005-3334 Debian Bug : 335997 Lostmon has discovered cross site scripting vulnerabilities in multiple parameters of flyspray, a lightweight bug tracking system, which allows attackers to insert arbitary script code into the index.php page. The old stable distribution (woody) does not contain flyspray. For the stable distribution (sarge) this problem has been fixed in version 0.9.7-2.1. For the testing (etch) and unstable distribution (sid) this problem has been fixed in version 0.9.8-6. ====== Let me know if you need any more information. bye, Thijs
--- flyspray-0.9.7.orig/includes/regexp.php 2004-12-29 07:52:41.000000000 +0100
+++ flyspray-0.9.7/includes/regexp.php 2006-01-16 17:50:53.000000000 +0100
@@ -52,6 +52,18 @@
};
+if ($_GET['sort2']) {
+ // Yes. Now check its regex format for safety -- Limited range
+ if (preg_match ("/^(asc|desc)$/", $_GET['sort2'])) {
+
+ // continue;
+ } else {
+
+ print "Sorting request is invalid."; exit;
+ };
+
+};
+
if ($_GET['project']) {
// Yes. Now check its regex format for safety -- Numbers only
@@ -65,6 +77,19 @@
};
};
+if ($_GET['type']) {
+
+ // Yes. Now check its regex format for safety -- Numbers only
+ if (preg_match ("/^\d+$/", $_GET['type'])) {
+
+ // continue;
+
+ } else {
+
+ print "Tasktype request is invalid."; exit;
+ };
+};
+
if ($_GET['page']) {
// Yes. Now check its regex format for safety -- Numbers only
@@ -300,4 +325,44 @@
print "Magic URL is invalid."; exit;
};
};
+
+if ($_GET['tasks']) {
+ // Yes. Now check its regex format for safety -- Limited range
+ if (preg_match ("/^(all|assigned|reported|watched)$/", $_GET['tasks'])) {
+
+ // continue;
+ } else {
+
+ print "Tasks request is invalid."; exit;
+ };
+
+};
+
+if ($_GET['due']) {
+
+ // Yes. Now check its regex format for safety -- Numbers only
+ if (preg_match ("/^\d+$/", $_GET['due'])) {
+
+ // continue;
+ } else {
+
+ print "Due version request is invalid."; exit;
+ };
+};
+
+if ($_GET['string']) {
+
+ // Yes. Now check its regex format for safety -- Numbers only
+ if (preg_match ("!<.*>!", $_GET['string'])) {
+ print "Search string request is invalid."; exit;
+ };
+};
+
+if ($_GET['PHPSESSID']) {
+
+ // Yes. Now check its regex format for safety -- Numbers only
+ if (preg_match ("!<.*>!", $_GET['PHPSESSID'])) {
+ print "PHP Session ID is invalid."; exit;
+ };
+};
?>
signature.asc
Description: This is a digitally signed message part
