Package: webcalendar
Version: 0.9.45-2
Severity: normal
Tags: security patch
Good day,
>From [1] :
| There is a security hole in WebCalendar 0.9.45 and
| earlier that can allow a malicious user to issue SQL
| commands to affect your database. The user could
| insert data, delete data or drop tables. The malicious
| user does not need to have a valid WebCalendar login.
|
| This security issue does not affect sites using
| http-based authentication for WebCalendar or sites
| running in single-user mode. It only affects installs
| using web-based authentication and running in
| multi-user mode.
|
| If you have WebCalendar 1.0RC1 or later, this fix is
| already included, so you do not need to update anything.
A patch for 0.9.45-2 is available at [1] and attached to this bug
report.
Regards.
[1]
http://sourceforge.net/tracker/index.php?func=detail&aid=1121329&group_id=3870&atid=303870
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-rfb-swsusp
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages webcalendar depends on:
ii apache [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii apache-ssl [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii debconf [debconf-2.0] 1.4.45 Debian configuration management sy
ii mysql-server 4.0.23-7 mysql database server binaries
ii php4 4:4.3.10-7 server-side, HTML-embedded scripti
ii php4-cli 4:4.3.10-7 command-line interpreter for the p
ii php4-mysql 4:4.3.10-7 MySQL module for php4
-- debconf information:
* webcalendar/conf/db_host: localhost
* webcalendar/note/sql_install:
webcalendar/status/db_installed: false
* webcalendar/note/admin_user:
webcalendar/conf/db_persistent: true
webcalendar/conf/single_user_login:
* webcalendar/conf/single_user_mode: false
* webcalendar/conf/db_database: test
* webcalendar/conf/db_type: mysql
* webcalendar/conf/db_login: web
* webcalendar/conf/db_password: taket
webcalendar/conf/use_http_auth: false
* webcalendar/status/debconf_managed: true
*** includes/validate.php.orig Fri Nov 5 21:43:38 2004
--- includes/validate.php Sat Feb 12 08:32:45 2005
***************
*** 38,43 ****
--- 38,55 ----
$login_pw = split('\|', decode_string ($encoded_login));
$login = $login_pw[0];
$cryptpw = $login_pw[1];
+ // Security fix. Don't allow certain types of characters in
+ // the login. WebCalendar does not escape the login name in
+ // SQL requests. So, if the user were able to set the login
+ // name to be "x';drop table u;",
+ // they may be able to affect the database.
+ if ( ! empty ( $login ) ) {
+ if ( $login != addslashes ( $login ) ) {
+ echo "Illegal characters in login " .
+ "<tt>" . htmlentities ( $login ) . "</tt>";
+ exit;
+ }
+ }
// make sure we are connected to the database for password check
$c = dbi_connect ( $db_host, $db_login, $db_password, $db_database );
if ( ! $c ) {
*** login.php.orig Tue Nov 23 02:55:16 2004
--- login.php Sat Feb 12 08:21:09 2005
***************
*** 62,67 ****
--- 62,71 ----
$login = stripslashes ( $login );
}
$login = trim ( $login );
+ if ( $login != addslashes ( $login ) ) {
+ echo "Illegal characters in login";
+ exit;
+ }
if ( user_valid_login ( $login, $password ) ) {
user_load_variables ( $login, "" );
// set login to expire in 365 days
