Your message dated Sat, 11 Oct 2008 19:52:37 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#423441: fixed in blosxom 2.0-14+etch1
has caused the Debian Bug report #423441,
regarding blosxom: param("-f") for exec introduces security hole
to be marked as done.This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 423441: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423441 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: blosxom Version: 2.0-14 Severity: grave Tags: security Justification: user security hole On line 69, param("-f") is used as a potential configuration file: for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) { if (-r $rcfile) { open (RC, "< $rcfile") or die "Cannot open $rcfile: $!"; while (<RC>) { eval("$_"); } close (RC); } } This means (among other things) that a malicios user can use a URL like: http://mycomputer/cgi-bin/blosxom?-f=/home/malicioususer/exploit.pl to execute arbitrary code as whomever runs cgi scripts. I emailed the credited author of this debian-specific chunk of code, who said he wrote it to be used from the command-line. Indeed, when run from the command-line, you can use $ blosxom -f=/path/to/blosxom.conf but this is just passing URL-encoded form data on the command line and IMHO is an abuse of a feature in the CGI module to make testing easier. As debian installs blosxom into /usr/lib/cgi-bin/ it is clearly going to be run by many people as a CGI. In fact there are inappropriate calls to param() all over the place. This one just happens to introduce a security hole. I think I'll use pyblosxom instead. :) Sorry, no patches, perl scares me. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.20-linode28 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages blosxom depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii perl 5.8.8-7 Larry Wall's Practical Extraction Versions of packages blosxom recommends: ii apache2-mpm-prefork [httpd] 2.2.3-4 Traditional model for Apache HTTPD -- debconf information: blosxom/breakage: blosxom/old_cgi_file: false
--- End Message ---
--- Begin Message ---Source: blosxom Source-Version: 2.0-14+etch1 We believe that the bug you reported is fixed in the latest version of blosxom, which is due to be installed in the Debian FTP archive: blosxom_2.0-14+etch1.diff.gz to pool/main/b/blosxom/blosxom_2.0-14+etch1.diff.gz blosxom_2.0-14+etch1.dsc to pool/main/b/blosxom/blosxom_2.0-14+etch1.dsc blosxom_2.0-14+etch1_all.deb to pool/main/b/blosxom/blosxom_2.0-14+etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gerfried Fuchs <[EMAIL PROTECTED]> (supplier of updated blosxom package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 06 Oct 2008 16:01:44 +0200 Source: blosxom Binary: blosxom Architecture: source all Version: 2.0-14+etch1 Distribution: stable Urgency: high Maintainer: Pascal Hakim <[EMAIL PROTECTED]> Changed-By: Gerfried Fuchs <[EMAIL PROTECTED]> Description: blosxom - light, feature-packed weblog app with plugin extensibility Closes: 423441 500873 Changes: blosxom (2.0-14+etch1) stable; urgency=high . * Apply patch to fix Cross-Site Scripting (XSS) vulnerability with respect to unknown flavours (CVE-2008-2236) (closes: #500873) * Only use param("-f") if $ENV{GATEWAY_INTERFACE} isn't set (closes: #423441) Files: 1967039427f10e01f9d4731e2ceb22a4 621 web optional blosxom_2.0-14+etch1.dsc 8b48b28026847656cd68eda0c2c8bf3d 19727 web optional blosxom_2.0-14+etch1.diff.gz eac216663aed042c2ff78c3bd8e9d685 30202 web optional blosxom_2.0-14+etch1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjqSnUACgkQELuA/Ba9d8Y8RgCePsF7cvo0xqtvWsMRZUF75A13 AOYAnjPhCyMKf2Av98tnGvlQc7D6v8YM =wWTb -----END PGP SIGNATURE-----
--- End Message ---
