Hello all, There is a security bug in webcalendar (#315671 and http://www.securityfocus.com/bid/14072, for reference). Tim is the maintainer, but does not yet have a debian account, and cannot upload. We have a fixed version for sarge ready (patch attached). I am happy to upload it for Tim, or you could based on the attached patch. Please let us know which way you want to handle this. Tim is copied on this mail, please keep both of us in the follow ups.
There is as yet no CVE, but the bugtraq ID is 14072. Thanks, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
diff -Nru old/webcalendar-0.9.45/assistant_edit.php
new/webcalendar-0.9.45/assistant_edit.php
--- old/webcalendar-0.9.45/assistant_edit.php 2004-11-29 05:18:17.000000000
-0500
+++ new/webcalendar-0.9.45/assistant_edit.php 2005-07-18 14:37:26.000000000
-0400
@@ -1,16 +1,24 @@
<?php
include_once 'includes/init.php';
+if ( empty ( $login) || $login == "__public__" ) {
+ // do not allow public access
+ do_redirect ( empty ( $STARTVIEW ) ? "month.php" : "$STARTVIEW" );
+ exit;
+}
+
if ($user != $login)
$user = (($is_admin || $is_nonuser_admin) && $user) ? $user : $login;
if ( $groups_enabled == "Y" ) {
$INC = array('js/assistant_edit.php');
+} else {
+ $INC = '';
}
print_header($INC);
?>
-<form action="assistant_edit_handler.php" method="post" name="editentryform">
+<form action="assistant_edit_handler.php" method="post"
name="assistanteditform">
<?php
if ($user) echo "<input type=\"hidden\" name=\"user\" value=\"$user\" />\n";
if ( $is_nonuser_admin ) {
diff -Nru old/webcalendar-0.9.45/debian/changelog
new/webcalendar-0.9.45/debian/changelog
--- old/webcalendar-0.9.45/debian/changelog 2005-07-18 14:36:10.000000000
-0400
+++ new/webcalendar-0.9.45/debian/changelog 2005-07-18 14:37:26.000000000
-0400
@@ -1,3 +1,10 @@
+webcalendar (0.9.45-6) unstable; urgency=high
+
+ * Fixed a bug in assistant_edit.php that allows unauthorized access
+ (closes: #315671)
+
+ -- Tim Peeler <[EMAIL PROTECTED]> Mon, 11 Jul 2005 17:56:02 -0400
+
webcalendar (0.9.45-5) unstable; urgency=low
* Fixed a bug in the postinst that doesn't set permissions of settings.php
diff -Nru old/webcalendar-0.9.45/includes/js/assistant_edit.php
new/webcalendar-0.9.45/includes/js/assistant_edit.php
--- old/webcalendar-0.9.45/includes/js/assistant_edit.php 2004-07-27
15:03:10.000000000 -0400
+++ new/webcalendar-0.9.45/includes/js/assistant_edit.php 2005-07-18
14:37:26.000000000 -0400
@@ -3,18 +3,18 @@
function selectUsers () {
// find id of user selection object
var listid = 0;
- for ( i = 0; i < document.forms[0].elements.length; i++ ) {
- if ( document.forms[0].elements[i].name == "users[]" )
+ for ( i = 0; i < document.assistanteditform.elements.length; i++ ) {
+ if ( document.assistanteditform.elements[i].name == "users[]" )
listid = i;
}
- url = "usersel.php?form=editentryform&listid=" + listid + "&users=";
+ url = "usersel.php?form=assistanteditform&listid=" + listid + "&users=";
// add currently selected users
- for ( i = 0, j = 0; i < document.forms[0].elements[listid].length; i++ ) {
- if ( document.forms[0].elements[listid].options[i].selected ) {
+ for ( i = 0, j = 0; i < document.assistanteditform.elements[listid].length;
i++ ) {
+ if ( document.assistanteditform.elements[listid].options[i].selected ) {
if ( j != 0 )
url += ",";
j++;
- url += document.forms[0].elements[listid].options[i].value;
+ url += document.assistanteditform.elements[listid].options[i].value;
}
}
//alert ( "URL: " + url );
signature.asc
Description: Digital signature
