Hi everyone, there are false reports circulating in MITRE CVE and other security sites about a vulnerability in Agavi that leads to an exploit allowing remote attackers to read arbitrary files on the server's filesystem.
This vulnerability found by the reporters does, of course, not exist in Agavi itself, but is a problem in the application code (and has been validated as such) of the website where the vulnerability was found. We have found several vulnerable sites ourselves based on Agavi 0.10 that have apparently all been created by the same agency in France. Regardless of the version number, Agavi never gives special treatment to specific input parameters and uses them to read files from the file system or perform other potentially unsafe operations. Agavi's unique and consistent input validation concept makes sure that developers only have access to data they validated, and in addition to shipping build templates that enable the secure "strict" validation mode by default, Agavi 1.0 natively assumes this most secure setting in code if no mode is given through configuration. This additional measure further extends Agavi's lead as the most secure PHP application framework and complements Agavi's praised approach of taking rigorous measures to prevent developers from accidentially utilizing unvalidated user input not only from request parameters, but also uploaded files, HTTP headers and even cookies, drastically reducing the possibility of CSRF and XSS attacks. We have notified MITRE/DHS, NVD/NIST, SecurityFocus/Symantec, milw0rm.org and Sebug.net about the error, as well as the original author, "t0fx". So far, SecurityFocus have corrected the information on their site and changed the status to "RETIRED", along with a remark on a sub-page about the mistake. Also, we have been in contact with "t0fx" in the meantime, who reacted quickly and sent us the following apology: > Yes you are right, after some investigations, whe saw that the bug > was due to bad filtered values on the websites we tested the vectors > on. > But the vulnerability comes to agavi cms+bad installation.. > I REALLY apologie for the fact that we didn't contact you before > posting the exploit on milw0rm.com, but a friend of mine, working > with me on finding exploits on websites, told me that he contacted > you 2 days before... I asked him again this evening and he told me > that he forgot to do it.... We usually never post vulnerabilities > unless the coder is contacted, so I'M VERY SORRY FOR THAT. > We did not wanted to attempt at your reputation you can trust me... He assured me that he would contact the various sites where the vulnerability was posted, and notify them that the provided information is incorrect and that the vulnerability does not exist. Here is a list of the vulnerabilities in various security databases: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4920 - http://www.securityfocus.com/bid/32086 - http://www.sebug.net/exploit/5066/ - http://www.milw0rm.com/exploits/6970 If you know of any other security databases or additional resources or people who might need this information, please forward this email accordingly. Greetings from Munich, - David _______________________________________________ Agavi Dev Mailing List [email protected] http://lists.agavi.org/mailman/listinfo/dev
