Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?

Wed, 26 Mar 2008 04:55:01 -0700 

Le mardi 25 mars 2008 à 19:14 +0100, Olivier Berger a écrit :
> 
> It looks to me as if bug #435936 wasn't completely fixed for
> etch/stable (considering
> http://security-tracker.debian.net/tracker/CVE-2007-4048, thanks to
> Thomas Viehmann for pointing this out).

SNIP

> Anyway, I think that the fix proposed in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936
>  should apply to 0.9.16.011-2.2 too.
> 

SNIP

> Will try and propose a fix as soon as possible... but considering the
> long period during which eventual stable installations of
> phpgroupware-phpsysinfo have been vulnerable (if it indeed applies to
> the stable version), I suppose harm is already done, so I'm not sure
> there's a cas of emergency here:(

Having had a closer look at the phpsysinfo integration in phpgroupware
in etch, I'm not so sure it was even a problem, since I cannot exactly
understand how the vulnerable code could have been executed. It is
located in the phpsysinfo footer and I only see ways to have the
standard phpgroupware footer displayed... but I'm not so much aware of
the XSS mechanism involved here. 

Anyway, assuming that the fix for #435936 was indeed necessary, here's
an attached patch that should fix it for the stable version too.

Maybe I'll get in touch with upstream to try and get a clearer view.

I'll also read the reference on security and NMUs to check what could be
the next steps.

Regards,
-- 
Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), 
Evry


--- system_footer.php.orig	2008-03-26 11:14:09.000000000 +0100
+++ system_footer.php	2008-03-26 11:32:26.000000000 +0100
@@ -25,7 +25,7 @@
 
 echo "<center>";
 
-$update_form = "<form method=\"POST\" action=\"$PHP_SELF\">\n"
+$update_form = "<form method=\"POST\" action=\"" . htmlentities($_SERVER['PHP_SELF']) . "\">\n" 
              . "\t" . $text['template'] . ":&nbsp;\n"
              . "\t<select name=\"template\">\n";

Reply via email to