On Tue, 2005-11-01 at 20:52 +0100, Thijs Kinkhorst wrote: > Packages for 2.0.18 for sid are nearly ready, we only need some code to > add a new database table. Jeroen is working on this, and will upload as > soon as this is fixed.
Packages for sid have been uploaded. CVE-names were not present before,
but are retroactively mentioned in the changelog for the following
upload.
> STABLE
This is a really complex bug since: CVE mentions some vulnerabilities
that upstream doesn't, upstream mentions vulnerabilities that are
unknown to CVE, not all seem to be properly fixed, and details of the
specifics of the vulnerability are nowhere to be found (all go no
further than one or two sentences). But I'll do the best I can.
After my previous analysis, this is what's left, grouped by CVE-id:
CVE-2005-3310: Multiple interpretation error in phpBB 2.0.17.
- Actually an IE vulnerability, but fixing here.
- Fix is in svn.
CVE-2005-3415: bypass protection mechanisms that deregister global
variables by setting both a GPC variable and a GLOBALS[] variable
- Only relevant when register_globals is On
- Fix is in svn.
CVE-2005-3416: bypass security checks by setting the $_SESSION and
$HTTP_SESSION_VARS variables to strings instead of arrays
- Only relevant when register_globals is On
- Fix is in svn.
CVE-2005-3417: modify global variables and bypass security mechanisms
- Fix only applies to PHP5, which is not in sarge.
- Sarge NOT vulnerable.
CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities
- 1. error_msg parameter to usercp_register.php
- 2. forward_page parameter to login.php
- 3. list_cat parameter to search.php
- Only relevant when register_globals is On
- Fix for no 3 does not seem to appear in upstream release!
TODO: Will probably contact them and prepare another update for sid,
but needs to be checked first.
- Fix is in svn.
CVE-2005-3419: SQL injection vulnerability in usercp_register.php,
signature_bbcode_uid parameter
CVE-2005-3420: modify regular expressions and execute PHP code via the
signature_bbcode_uid parameter
- Only relevant when register_globals is On
- Cannot find what exactly should fix this in the upstream patch.
Maybe it's me, or it isn't included? Jeroen, please take a look at
this.
- TODO
Apart from the CVE-assigned vulnerabilities, upstream also indicated
other security issues:
> [Sec] fixed validation of topic type when posting
- Fix is in svn.
> [Sec] fixed potential to select images outside the specified path as
avatars or smilies
- Fix is in svn.
> [Sec] signature field is not properly sanitised for user input when an
- Fix is in svn.
> [Sec] changed avatar gallery code sections to prevent possible
> injection points (AnthraX101)
- Unknown to me what is meant here and what fixes it. No details to be
found anywhere, description is very vague.
- TODO
> [Sec] fixed ability to edit PM's you did not send (depablo84)
> [Sec] check to_username and ownership when editing a PM
- Assuming this is a duplicate.
- Fix is in svn.
That's it for now.
SUMMARY
-> Need to research CVE-2005-3419,CVE-2005-3420
-> Need to research AnthraX101 fix
-> Need to check already uploaded 2.0.18 if it indeed fixes everything
(todo after stable version is finished)
bye,
Thijs
signature.asc
Description: This is a digitally signed message part
