Moritz Muehlenhoff wrote:
> This has been assigned CVE-2005-3559, please mention it in the
> changelog when fixing it.
The attached patch fixes this problem.
This problem is also fixed in the Debian package 1.2.7.1.dfsg-2.
Regards,
Joey
--
Experience is something you don't get until just after you need it.
Please always Cc to me when replying to me on the lists.
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2005-3559.dpatch by Joey Schulze <[EMAIL PROTECTED]>
##
## DP: Description Directory traversal vulnerability in vmail.cgi in
## DP: Asterisk 1.0.9 through 1.2.0-beta1 allows remote attackers to
## DP: access WAV files via a .. (dot dot) in the folder parameter.
@DPATCH@
diff -u -p -Nr --exclude CVS
asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi
asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi
--- asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi 2004-09-15
07:11:41.000000000 +0200
+++ asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi 2006-04-26
17:31:30.000000000 +0200
@@ -70,6 +70,19 @@ _EOH
}
+sub untaint() {
+
+ my($data) = @_;
+
+ if ($data =~ /^([EMAIL PROTECTED])$/) {
+ $data = $1;
+ } else {
+ die "Security violation.";
+ }
+
+ return $data;
+}
+
sub check_login()
{
local ($filename, $startcat) = @_;
@@ -489,14 +502,15 @@ _EOH
sub message_audio()
{
my ($forcedownload) = @_;
- my $folder = param('folder');
- my $msgid = param('msgid');
- my $mailbox = param('mailbox');
- my $context = param('context');
+ my $folder = &untaint(param('folder'));
+ my $msgid = &untaint(param('msgid'));
+ my $mailbox = &untaint(param('mailbox'));
+ my $context = &untaint(param('context'));
my $format = param('format');
if (!$format) {
$format = &getcookie('format');
}
+ &untaint($format);
my $path =
"/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
$msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");
@@ -865,6 +879,8 @@ sub message_forward()
}
$msgcount = &msgcount($context, $newmbox, "INBOX");
my $txt;
+ $context = &untaint($context);
+ $newmbox = &untaint($newmbox);
if ($newmbox ne $mbox) {
# print header;
foreach $msg (@msgs) {
@@ -900,6 +916,9 @@ sub message_delete_or_move()
$context = "default";
}
my $passwd = param('password');
+ $context = &untaint($context);
+ $mbox = &untaint($mbox);
+ $folder = &untaint($folder);
my $msgcount = &msgcount($context, $mbox, $folder);
my $omsgcount = &msgcount($context, $mbox, $newfolder) if $newfolder;
# print header;
