Package: webcalendar Severity: grave Tags: security sid etch David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames.
The patch for the version in sarge is attached to this mail. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists.
diff -u webcalendar-0.9.45/debian/changelog webcalendar-0.9.45/debian/changelog --- webcalendar-0.9.45/debian/changelog +++ webcalendar-0.9.45/debian/changelog @@ -1,3 +1,11 @@ +webcalendar (0.9.45-4sarge4) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Unified error messages for unknown users and wrong passwords to + prevent an information leak [includes/user.php, CVE-2006-2247] + + -- Martin Schulze <[EMAIL PROTECTED]> Fri, 12 May 2006 08:10:15 +0200 + webcalendar (0.9.45-4sarge3) stable-security; urgency=high * Fixed multiple security vulnerabilities only in patch2: unchanged: --- webcalendar-0.9.45.orig/includes/user.php +++ webcalendar-0.9.45/includes/user.php @@ -41,8 +41,7 @@ if ( $row[0] == $login ) $ret = true; // found login/password else - $error = translate ("Invalid login") . ": " . - translate("incorrect password"); + $error = translate ("Invalid login"); } else { $error = translate ("Invalid login"); // Could be no such user or bad password @@ -53,12 +52,10 @@ $row = dbi_fetch_row ( $res2 ); if ( $row && ! empty ( $row[0] ) ) { // got a valid username, but wrong password - $error = translate ("Invalid login") . ": " . - translate("incorrect password" ); + $error = translate ("Invalid login"); } else { // No such user. - $error = translate ("Invalid login") . ": " . - translate("no such user" ); + $error = translate ("Invalid login"); } dbi_free_result ( $res2 ); }