Hi. I'm trying to understand if/how the code in 0.9.16.011 was indeed vulnerable concerning the phpsysinfo XSS vulnerability...
Can you please enlighten me (privately, if details are sensitive) ? My impression is that the Debian package was after all not vulnerable... as the phpsysinfo footer shouldn't have been called directly, the phpsysinfo being wrapped by phpgroupware... Or I have it all wrong on how the XSS works... or the proposed patch for a fix for Debian was useless... or... I'm a bit lost ;) See a copy of a message I just sent to the Debian BTS (full thread : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472685 ) Btw, if there's a security related list, it may be worth being on board as soon as possible to be able to prepare patchs and so on for the Debian package... Many thanks in advance. -------- Message transféré -------- De: Olivier Berger <[EMAIL PROTECTED]> À: [EMAIL PROTECTED] Sujet: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ? Date: Wed, 26 Mar 2008 11:40:15 +0100 Le mardi 25 mars 2008 à 19:14 +0100, Olivier Berger a écrit : > > It looks to me as if bug #435936 wasn't completely fixed for > etch/stable (considering > http://security-tracker.debian.net/tracker/CVE-2007-4048, thanks to > Thomas Viehmann for pointing this out). SNIP > Anyway, I think that the fix proposed in > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936 > should apply to 0.9.16.011-2.2 too. > SNIP > Will try and propose a fix as soon as possible... but considering the > long period during which eventual stable installations of > phpgroupware-phpsysinfo have been vulnerable (if it indeed applies to > the stable version), I suppose harm is already done, so I'm not sure > there's a cas of emergency here:( Having had a closer look at the phpsysinfo integration in phpgroupware in etch, I'm not so sure it was even a problem, since I cannot exactly understand how the vulnerable code could have been executed. It is located in the phpsysinfo footer and I only see ways to have the standard phpgroupware footer displayed... but I'm not so much aware of the XSS mechanism involved here. Anyway, assuming that the fix for #435936 was indeed necessary, here's an attached patch that should fix it for the stable version too. Maybe I'll get in touch with upstream to try and get a clearer view. I'll also read the reference on security and NMUs to check what could be the next steps. Regards, --- system_footer.php.orig 2008-03-26 11:14:09.000000000 +0100 +++ system_footer.php 2008-03-26 11:32:26.000000000 +0100 @@ -25,7 +25,7 @@ echo "<center>"; -$update_form = "<form method=\"POST\" action=\"$PHP_SELF\">\n" +$update_form = "<form method=\"POST\" action=\"" . htmlentities($_SERVER['PHP_SELF']) . "\">\n" . "\t" . $text['template'] . ": \n" . "\t<select name=\"template\">\n"; -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry _______________________________________________ phpGroupWare-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
