Package: webcalendar
Severity: grave
Tags: security sid etch
David Maciejak noticed that webcalendar, a PHP-Based multi-user
calendar, returns different error messages on login attempts for an
invalid password and a non-existing user, allowing remote attackers to
gain information about valid usernames.
The patch for the version in sarge is attached to this mail.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
diff -u webcalendar-0.9.45/debian/changelog webcalendar-0.9.45/debian/changelog
--- webcalendar-0.9.45/debian/changelog
+++ webcalendar-0.9.45/debian/changelog
@@ -1,3 +1,11 @@
+webcalendar (0.9.45-4sarge4) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Unified error messages for unknown users and wrong passwords to
+ prevent an information leak [includes/user.php, CVE-2006-2247]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Fri, 12 May 2006 08:10:15 +0200
+
webcalendar (0.9.45-4sarge3) stable-security; urgency=high
* Fixed multiple security vulnerabilities
only in patch2:
unchanged:
--- webcalendar-0.9.45.orig/includes/user.php
+++ webcalendar-0.9.45/includes/user.php
@@ -41,8 +41,7 @@
if ( $row[0] == $login )
$ret = true; // found login/password
else
- $error = translate ("Invalid login") . ": " .
- translate("incorrect password");
+ $error = translate ("Invalid login");
} else {
$error = translate ("Invalid login");
// Could be no such user or bad password
@@ -53,12 +52,10 @@
$row = dbi_fetch_row ( $res2 );
if ( $row && ! empty ( $row[0] ) ) {
// got a valid username, but wrong password
- $error = translate ("Invalid login") . ": " .
- translate("incorrect password" );
+ $error = translate ("Invalid login");
} else {
// No such user.
- $error = translate ("Invalid login") . ": " .
- translate("no such user" );
+ $error = translate ("Invalid login");
}
dbi_free_result ( $res2 );
}
