Hi,
These two updates occurs after a discussion with websvn upstream, to
validate the corrections. Security problem is described at:
http://www.gulftech.org/?node=research&article_id=00132-10202008
(I haven't found any related CVE, but a Secunia advisory:
http://secunia.com/advisories/32338/
)
The first upload is for stable:
Please allow websvn 1.61-21 into stable, it contains a security fix:
* Security: fix potential PHP code execution due to unsafe use of
preg_replace (Closes: #503330)
The fix is to remove the offending code (which was useless) with quilt
patch 40_unsafe_preg_replace.diff (attached).
Other parts of the advisory (directory transversal and XSS) were not
found in this version.
The second upload is for both unstable and testing:
Please allow websvn 2.0-4 to enter testing, it contains fixes for the
same security advisory, but for different problems:
* Security: fix potential Cross Site Scripting and Directory
transveral issues (Closes: #503330)
Problems are fixed in quilt patches 10_security_dir_transversal.patch
and 11_security_css.patch (attached). preg_replace affected code was removed in
2.x branch.
Cheers,
Pierre
Index: websvn-1.61/include/utils.inc
===================================================================
--- websvn-1.61.orig/include/utils.inc 2008-11-12 13:04:16.000000000 +0100
+++ websvn-1.61/include/utils.inc 2008-11-12 13:04:23.000000000 +0100
@@ -87,11 +87,6 @@
"<a href=\"mailto:\\1@\\2\";>\\1@\\2</a>",
$ret);
- // Replace any usernames
- $ret = preg_replace("#\[:nom:([^\]]*)\]#e",
- "username(0, trim(\"\\1\"))",
- $ret);
-
return ($ret);
}
@@ -185,4 +180,4 @@
// Stick them together
return $spaces.$s;
}
-?>
\ No newline at end of file
+?>
Index: websvn-2.0/rss.php
===================================================================
--- websvn-2.0.orig/rss.php 2008-11-12 13:10:56.000000000 +0100
+++ websvn-2.0/rss.php 2008-11-12 13:11:20.000000000 +0100
@@ -67,7 +67,7 @@
// Cachename reflecting full path to and rev for rssfeed. Must end with xml to work
$cachename = strtr(getFullURL($listurl), ":/\\?", "____");
-$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR."cache".DIRECTORY_SEPARATOR.$cachename.@$_REQUEST["rev"]."_rssfeed.xml";
+$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.$cachename.$rev.'_rssfeed.xml';
$rss = new UniversalFeedCreator();
$rss->useCached("RSS2.0", $cachename);
Index: websvn-2.0/include/setup.php
===================================================================
--- websvn-2.0.orig/include/setup.php 2008-11-12 13:12:10.000000000 +0100
+++ websvn-2.0/include/setup.php 2008-11-12 13:12:26.000000000 +0100
@@ -314,7 +314,7 @@
$vars['lang_code'] = $userLang;
-$url = getParameterisedSelfUrl(true);
+$url = '?'.buildQuery($_GET + $_POST);
$vars["lang_form"] = "<form action=\"$url\" method=\"post\" id=\"langform\">";
$vars["lang_select"] = "<select name=\"langchoice\" onchange=\"javascript:this.form.submit();\">";
Index: websvn-2.0/include/utils.php
===================================================================
--- websvn-2.0.orig/include/utils.php 2008-11-12 13:12:14.000000000 +0100
+++ websvn-2.0/include/utils.php 2008-11-12 13:12:26.000000000 +0100
@@ -304,43 +304,6 @@
// }}}
-// {{{ getParameterisedSelfUrl
-//
-// Get the relative URL (PHP_SELF) with GET and POST data
-
-function getParameterisedSelfUrl($params = true)
-{
- global $config;
-
- $url = null;
-
- if ($config->multiViews)
- {
- // Get rid of the file's name
- $url = preg_replace('/\.php/', '', $_SERVER['PHP_SELF'], 1);
- }
- else
- {
- $url = basename($_SERVER['PHP_SELF']);
-
- // Sometimes the .php isn't on the end. Damn strange...
- if (strchr($url, '.') === false)
- $url .= '.php';
- }
-
- if ($params)
- {
- $arr = $_GET + $_POST;
- # XXX: the point of HTTP POST is that URIs have a set size limit, so POST
- # data is typically too large to bother with; why include it?
- $url .= '?'.buildQuery($arr);
- }
-
- return $url;
-}
-
-// }}}
-
// {{{ getUserLanguage
function getUserLanguage($languages, $default, $userchoice)
Attachment:
signature.asc
Description: Digital signature