Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Aug 2011 09:50:43 +0800
From: Thomas Goirand <thomas@...rand.fr>
To: Jonathan Wiltshire <jmw@...ian.org>
CC: oss-security@...ts.openwall.com, 
 Debian Security Team <team@...urity.debian.org>
Subject: Re: CVE request: multiple vulnerabilities in dtc

We are discussing the issues with Philippe Kern. While there are issues
that were discovered, I am claiming that some of what you see below
shouldn't be in the list.

On 08/13/2011 05:26 AM, Jonathan Wiltshire wrote:
> #566654
> dtc saves the administrator password in plain text in
> /var/lib/dtc/saved_install_config under the variable name conf_adm_pass.
> It remains there even after initial configuration.

That's not more a security vulnerability than /etc/mysql/debian.cnf
(both file are readable by root only). This has been in the BTS for a
long time, and it makes no sense to assign a CVE now.

> #611680
> dtc-xen includes several command executions as root that use unchecked
> user input in dtc-soap-server.

That's not relevant and isn't a vulnerability. I have closed the bug a
long time ago, writing that I wont fix it, and explaining why. Please
see the BTS entry for it. dtc-xen isn't supposed to run stand-alone, and
the only client for dtc-xen is dtc itself. If you gain access to it,
then there is an issue somewhere else, and "fixing" things here wont
make things better.

> #614304
> dtc stores user passwords and passwords for various services in unencrypted
> form in the database.

This is fixed in the Git, and has already been discussed. While it's a
serious issue (which has been carefully worked on), it didn't deserve a
CVE 6 months ago, and it shouldn't right now.

> #637477
> Insufficient input checking in /shared/inc/sql/lists.php
>
> #637485
> The setup script for dtc writes the password for the MySQL user in the
> world-readable file /etc/apache2/apache2.conf.
> 
> #637487
> Insufficient input checking leads to a SQL injection vulnerability in
> shared/inc/forms/domain_info.php.
> 
> #637498
> A SQL injection vulnerability in logPushlet.php can overwrite arbitrary
> files as the MySQL system user.
> 
> #637537
> dtc passes passwords to htpasswd using command line arguments, which can be
> read by a local user.
> 
> #637584
> dtc does not escape variables in HTML output in many places; for example
> in the "Domain root TXT record:" field on the "DNS and MX" page where
> JavaScript can be injected.

The above should be fixed and are real issues, but what I commented
don't deserve a CVE.

> Note that these descriptions are mostly taken from the bug reports and may
> not be suitable for direct publication without editing. I have checked as
> far as possible that none of these were previously assigned CVEs but they
> could be duplicates. There are often mitigating factors such as
> user or administrator authentication.

Absolutely all of them need a user to be logged indeed.

Thomas

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ