Bug#329597: egroupware: more XMLRPC parsing flaws

[Florian Weimer]

* Matthias Firner:

> There are still problems in egroupware regarding xmlrpc. The new
> upstream release 1.0.0.009-3 fixes this issue. Upstream recommends
> "everyone to update to this release asap."

Thanks for alerting us of the problem.

Is there any real description of the fixed issues?

As far as I can see, the diff fixes two issues.  Unsafe use of /tmp:

--- egroupware.old/phpgwapi/inc/class.xmlrpc_server_php.inc.php 2005-08-19 
14:33:21.000000000 +0200
+++ egroupware.new/phpgwapi/inc/class.xmlrpc_server_php.inc.php 2005-09-20 
13:31:41.000000000 +0200
@@ -35,7 +35,7 @@
    * Incorporated for egroupware by Miles Lott <[EMAIL PROTECTED]>         
    */
 
-  /* $Id: class.xmlrpc_server_php.inc.php,v 1.4.4.5 2005/08/19 12:33:21 
milosch Exp $ */
+  /* $Id: class.xmlrpc_server_php.inc.php,v 1.4.4.6 2005/09/20 10:13:09 
ralfbecker Exp $ */
 
        /* BEGIN server class */
        class xmlrpc_server extends xmlrpc_server_shared
@@ -46,7 +46,7 @@
                var $resp_struct = array();
                var $debug = False;
                var $method_requested;
-               var $log = '/tmp/xmlrpc.log';
+               var $log = False; //'/tmp/xmlrpc.log';
 
                function xmlrpc_server($dispMap='', $serviceNow=0)
                {

And a SQL injection vulnerability:

diff --exclude CVS -urN 
egroupware.old/preferences/inc/hook_deleteaccount.inc.php 
egroupware.new/preferences/inc/hook_deleteaccount.inc.php
--- egroupware.old/preferences/inc/hook_deleteaccount.inc.php   2002-11-20 
22:34:47.000000000 +0100
+++ egroupware.new/preferences/inc/hook_deleteaccount.inc.php   2005-09-20 
13:31:48.000000000 +0200
@@ -10,13 +10,13 @@
   *  option) any later version.                                              *
   \**************************************************************************/
 
-  /* $Id: hook_deleteaccount.inc.php,v 1.3 2002/11/20 21:34:47 ralfbecker Exp 
$ */
+  /* $Id: hook_deleteaccount.inc.php,v 1.3.6.1 2005/09/20 08:21:50 ralfbecker 
Exp $ */
 
        // Delete all records for a user
        $table_locks = Array('phpgw_preferences');
 
        $GLOBALS['phpgw']->db->lock($table_locks);
-       $GLOBALS['phpgw']->db->query('DELETE FROM phpgw_preferences WHERE 
preference_owner='.$GLOBALS['HTTP_POST_VARS']['account_id'],__LINE__,__FILE__);
+       $GLOBALS['phpgw']->db->query('DELETE FROM phpgw_preferences WHERE 
preference_owner='.(int)$_POST['account_id'],__LINE__,__FILE__);
        $GLOBALS['phpgw']->db->unlock();
 
 

(It is not clear to me what rights are required before you can mount
the SQL injection attack.)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]