Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 26 Jun 2010 10:42:25 +0200
From: Morten Shearman Kirkegaard <morten@...elingp.dk>
To: Florian Streibelt <gentoo@...treibelt.de>
Cc: oss-security <oss-security@...ts.openwall.com>, Jan Lieskovsky
 <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>,
 Michael Fleming <mfleming+rpm@...tfleminggent.com>, Mads Martin Joergensen
 <mmj@....dk>, Christoph Thiel <ct@....org>, Ben Schmidt
 <mail_ben_schmidt@...oo.com.au>
Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing
 and saving  list entries via php-admin web interface

CC'ing Christoph Thiel (mlmmj-php-admin author) and Ben Schmidt (current
mlmmj maintainer).

On Wed, 2010-06-23 at 19:41 +0200, Florian Streibelt wrote:
> when I reported the bug I had no time to further investigate and I think I
> did not report upstream because of lack of time at that point and later
> forgot - which is sad.

Yeah, well, things like that happen. Would you agree that the attached
patch fixes the vulnerability?

Using a list of known-good-characters would be nice, but dot happens to
be a valid character in a list name.

> The php webinterface is a third-party development for mlmmj but part of the
> official release.

I know that this is just semantics, but... While it is true that the
mlmmj-php-admin web interface is distributed along with mlmmj, it is not
a part of mlmmj itself, but is located in the contribs directory.

Best regards,
Morten

-- 
Morten Shearman Kirkegaard <morten@...elingp.dk>

diff -urN orig-mlmmj/contrib/web/php-admin/htdocs/edit.php mlmmj/contrib/web/php-admin/htdocs/edit.php
--- orig-mlmmj/contrib/web/php-admin/htdocs/edit.php	2005-05-09 16:36:09.000000000 +0200
+++ mlmmj/contrib/web/php-admin/htdocs/edit.php	2010-06-26 10:33:17.075405396 +0200
@@ -104,6 +104,15 @@
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 
diff -urN orig-mlmmj/contrib/web/php-admin/htdocs/save.php mlmmj/contrib/web/php-admin/htdocs/save.php
--- orig-mlmmj/contrib/web/php-admin/htdocs/save.php	2005-05-09 16:36:09.000000000 +0200
+++ mlmmj/contrib/web/php-admin/htdocs/save.php	2010-06-26 10:33:31.295405214 +0200
@@ -79,6 +79,15 @@
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ