Hi, I intend to 0-day NMU this bug. I attached a patch for the NMU which fixes the XSS vulnerability. It will be also archived on: http://ftp.cyconet.org/debian/nmu-diff/egroupware-phpsysinfo-1.4.001.dfsg-2-1.4.001.dfsg-2.1.patch
Kind regards, Jan. -- Never write mail to <[EMAIL PROTECTED]>, you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------
diff -Nur egroupware-1.4.001.dfsg.orig/debian/changelog egroupware-1.4.001.dfsg/debian/changelog
--- egroupware-1.4.001.dfsg.orig/debian/changelog 2007-09-03 15:00:23.000000000 +0200
+++ egroupware-1.4.001.dfsg/debian/changelog 2007-09-03 15:09:51.000000000 +0200
@@ -1,3 +1,11 @@
+egroupware (1.4.001.dfsg-2.1) experimental; urgency=low
+
+ * Non-maintainer upload
+ * Included 01_fix-CVE-2007-4048.dpatch to fix XSS vulnerability in
+ system_footer.php (CVE-2007-4048)
+
+ -- Jan Wagner <[EMAIL PROTECTED]> Mon, 3 Sep 2007 15:06:06 +0200
+
egroupware (1.4.001.dfsg-2) experimental; urgency=low
* Removed support for Apache 1 and PHP 4 (closes: #432236)
diff -Nur egroupware-1.4.001.dfsg.orig/debian/patches/00list egroupware-1.4.001.dfsg/debian/patches/00list
--- egroupware-1.4.001.dfsg.orig/debian/patches/00list 2007-09-03 15:00:23.000000000 +0200
+++ egroupware-1.4.001.dfsg/debian/patches/00list 2007-09-03 15:05:32.000000000 +0200
@@ -1,2 +1,3 @@
+01_fix-CVE-2007-4048
06-egw-header-template
08-egw-checkinstall-symlink
diff -Nur egroupware-1.4.001.dfsg.orig/debian/patches/01_fix-CVE-2007-4048.dpatch egroupware-1.4.001.dfsg/debian/patches/01_fix-CVE-2007-4048.dpatch
--- egroupware-1.4.001.dfsg.orig/debian/patches/01_fix-CVE-2007-4048.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ egroupware-1.4.001.dfsg/debian/patches/01_fix-CVE-2007-4048.dpatch 2007-09-03 15:01:31.000000000 +0200
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 01_fix-CVE-2007-4048.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad egroupware-1.2.107-2.dfsg~/phpsysinfo/includes/system_footer.php egroupware-1.2.107-2.dfsg/phpsysinfo/includes/system_footer.php
+--- egroupware-1.2.107-2.dfsg~/phpsysinfo/includes/system_footer.php 2007-06-05 17:22:18.000000000 +0200
++++ egroupware-1.2.107-2.dfsg/phpsysinfo/includes/system_footer.php 2007-09-03 12:38:34.000000000 +0200
+@@ -28,7 +28,7 @@
+ if (!$hide_picklist) {
+ echo "<center>";
+
+- $update_form = "<form method=\"POST\" action=\"" . $_SERVER['PHP_SELF'] . "\">\n" . "\t" . $text['template'] . ": \n" . "\t<select name=\"template\">\n";
++ $update_form = "<form method=\"POST\" action=\"" . htmlentities($_SERVER['PHP_SELF']) . "\">\n" . "\t" . $text['template'] . ": \n" . "\t<select name=\"template\">\n";
+
+ $dir = opendir(APP_ROOT . '/templates/');
+ while (false !== ($file = readdir($dir))) {
pgpOq0F4vMaoT.pgp
Description: PGP signature
