Package: eskuel
Version: 1.0.5-3
Severity: critical
Tags: security patch
Justification: causes serious data loss
It's possible to read any file on the system.
File: include/functions.inc.php
Vulnerable function: select_lang_config()
Vulnerable code:
[...]
$lang_config_cookie = (isset($HTTP_COOKIE_VARS['ConfLangCookie'])) ?
$HTTP_COOKIE_VARS['ConfLangCookie'] : '';
$force_config = (isset($HTTP_POST_VARS['lang_config'])) ?
$HTTP_POST_VARS['lang_config'] : '';
if ($force_config != '') {
$lang_conf = $force_config;
}
elseif
($lang_config_cookie != '') {
$lang_conf = $lang_config_cookie; }
else
{
$lang_conf = $conf['defaultTxt'];
}
if
($lang_conf == '') {
$lang_conf = 'francais.inc.php';
}
### Getting the good $txt var from the lang res file
include './lang/'.$lang_conf;
[...]
Vulnerability details and exploitation way:
It's possible to use the "ConfLangCookie" cookie value or the "lang_config"
post value to specify an arbitrary file, that will be included with the
"include './lang/'.$lang_conf" istruction.
If one of "ConfLangCookie" or "lang_config" value is
"../../../../../../../../../../../etc/passwd", it's possible to read the
userlist.
Simple patch:
if
($lang_conf == '') {
$lang_conf = 'francais.inc.php';
}
+ if (strpos("..", $lang_conf) !== FALSE) die("Invalid language file");
### Getting the good $txt var from the lang res file
include './lang/'.$lang_conf;
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)
Versions of packages eskuel depends on:
ii apache2 2.0.54-2 next generation, scalable, extenda
ii apache2-mpm-prefork [apache2 2.0.54-2 traditional model for Apache2
ii php4-cgi 4:4.3.10-13 server-side, HTML-embedded scripti
ii php4-mysql 4:4.3.10-13 MySQL module for php4
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
