Hi, These two updates occurs after a discussion with websvn upstream, to validate the corrections. Security problem is described at: http://www.gulftech.org/?node=research&article_id=00132-10202008 (I haven't found any related CVE, but a Secunia advisory: http://secunia.com/advisories/32338/ ) The first upload is for stable: Please allow websvn 1.61-21 into stable, it contains a security fix: * Security: fix potential PHP code execution due to unsafe use of preg_replace (Closes: #503330) The fix is to remove the offending code (which was useless) with quilt patch 40_unsafe_preg_replace.diff (attached). Other parts of the advisory (directory transversal and XSS) were not found in this version. The second upload is for both unstable and testing: Please allow websvn 2.0-4 to enter testing, it contains fixes for the same security advisory, but for different problems: * Security: fix potential Cross Site Scripting and Directory transveral issues (Closes: #503330) Problems are fixed in quilt patches 10_security_dir_transversal.patch and 11_security_css.patch (attached). preg_replace affected code was removed in 2.x branch. Cheers, Pierre
Index: websvn-1.61/include/utils.inc =================================================================== --- websvn-1.61.orig/include/utils.inc 2008-11-12 13:04:16.000000000 +0100 +++ websvn-1.61/include/utils.inc 2008-11-12 13:04:23.000000000 +0100 @@ -87,11 +87,6 @@ "<a href=\"mailto:\\1@\\2\">\\1@\\2</a>", $ret); - // Replace any usernames - $ret = preg_replace("#\[:nom:([^\]]*)\]#e", - "username(0, trim(\"\\1\"))", - $ret); - return ($ret); } @@ -185,4 +180,4 @@ // Stick them together return $spaces.$s; } -?> \ No newline at end of file +?>
Index: websvn-2.0/rss.php =================================================================== --- websvn-2.0.orig/rss.php 2008-11-12 13:10:56.000000000 +0100 +++ websvn-2.0/rss.php 2008-11-12 13:11:20.000000000 +0100 @@ -67,7 +67,7 @@ // Cachename reflecting full path to and rev for rssfeed. Must end with xml to work $cachename = strtr(getFullURL($listurl), ":/\\?", "____"); -$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR."cache".DIRECTORY_SEPARATOR.$cachename.@$_REQUEST["rev"]."_rssfeed.xml"; +$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.$cachename.$rev.'_rssfeed.xml'; $rss = new UniversalFeedCreator(); $rss->useCached("RSS2.0", $cachename);
Index: websvn-2.0/include/setup.php =================================================================== --- websvn-2.0.orig/include/setup.php 2008-11-12 13:12:10.000000000 +0100 +++ websvn-2.0/include/setup.php 2008-11-12 13:12:26.000000000 +0100 @@ -314,7 +314,7 @@ $vars['lang_code'] = $userLang; -$url = getParameterisedSelfUrl(true); +$url = '?'.buildQuery($_GET + $_POST); $vars["lang_form"] = "<form action=\"$url\" method=\"post\" id=\"langform\">"; $vars["lang_select"] = "<select name=\"langchoice\" onchange=\"javascript:this.form.submit();\">"; Index: websvn-2.0/include/utils.php =================================================================== --- websvn-2.0.orig/include/utils.php 2008-11-12 13:12:14.000000000 +0100 +++ websvn-2.0/include/utils.php 2008-11-12 13:12:26.000000000 +0100 @@ -304,43 +304,6 @@ // }}} -// {{{ getParameterisedSelfUrl -// -// Get the relative URL (PHP_SELF) with GET and POST data - -function getParameterisedSelfUrl($params = true) -{ - global $config; - - $url = null; - - if ($config->multiViews) - { - // Get rid of the file's name - $url = preg_replace('/\.php/', '', $_SERVER['PHP_SELF'], 1); - } - else - { - $url = basename($_SERVER['PHP_SELF']); - - // Sometimes the .php isn't on the end. Damn strange... - if (strchr($url, '.') === false) - $url .= '.php'; - } - - if ($params) - { - $arr = $_GET + $_POST; - # XXX: the point of HTTP POST is that URIs have a set size limit, so POST - # data is typically too large to bother with; why include it? - $url .= '?'.buildQuery($arr); - } - - return $url; -} - -// }}} - // {{{ getUserLanguage function getUserLanguage($languages, $default, $userchoice)
Attachment:
signature.asc
Description: Digital signature