Package: webcalendar Version: 0.9.45-2 Severity: grave Tags: security patch Justification: user security hole
Upstream reports a security hole: http://sourceforge.net/tracker/index.php?func=detail&aid=1121329&group_id=3870&atid=303870 | There is a security hole in WebCalendar 0.9.45 and | earlier that can allow a malicious user to issue SQL | commands to affect your database. The user could | insert data, delete data or drop tables. The malicious | user does not need to have a valid WebCalendar login. | | This security issue does not affect sites using | http-based authentication for WebCalendar or sites | running in single-user mode. It only affects installs | using web-based authentication and running in | multi-user mode. Patch from upstream: *** includes/validate.php.orig Fri Nov 5 21:43:38 2004 --- includes/validate.php Sat Feb 12 08:32:45 2005 *************** *** 38,43 **** --- 38,55 ---- $login_pw = split('\|', decode_string ($encoded_login)); $login = $login_pw[0]; $cryptpw = $login_pw[1]; + // Security fix. Don't allow certain types of characters in + // the login. WebCalendar does not escape the login name in + // SQL requests. So, if the user were able to set the login + // name to be "x';drop table u;", + // they may be able to affect the database. + if ( ! empty ( $login ) ) { + if ( $login != addslashes ( $login ) ) { + echo "Illegal characters in login " . + "<tt>" . htmlentities ( $login ) . "</tt>"; + exit; + } + } // make sure we are connected to the database for password check $c = dbi_connect ( $db_host, $db_login, $db_password, $db_database ); if ( ! $c ) { *** login.php.orig Tue Nov 23 02:55:16 2004 --- login.php Sat Feb 12 08:21:09 2005 *************** *** 62,67 **** --- 62,71 ---- $login = stripslashes ( $login ); } $login = trim ( $login ); + if ( $login != addslashes ( $login ) ) { + echo "Illegal characters in login"; + exit; + } if ( user_valid_login ( $login, $password ) ) { user_load_variables ( $login, "" ); // set login to expire in 365 days -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8-1-686-smp Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages webcalendar depends on: ii apache [httpd] 1.3.33-3 versatile, high-performance HTTP s ii debconf [debconf-2.0] 1.4.30.11 Debian configuration management sy ii mysql-server 4.0.23-3 mysql database server binaries ii php4 4:4.3.10-2 server-side, HTML-embedded scripti ii php4-cli 4:4.3.10-2 command-line interpreter for the p ii php4-mysql 4:4.3.10-2 MySQL module for php4 -- debconf information: * webcalendar/conf/db_host: localhost * webcalendar/note/sql_install: webcalendar/status/db_installed: false * webcalendar/note/admin_user: * webcalendar/conf/db_persistent: true webcalendar/conf/single_user_login: * webcalendar/conf/single_user_mode: false * webcalendar/conf/db_database: webcalendar * webcalendar/conf/db_type: mysql * webcalendar/conf/db_login: webcalendar * webcalendar/conf/db_password: Zeeph9po * webcalendar/conf/use_http_auth: false * webcalendar/status/debconf_managed: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
