[pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)
Matt Wood
matt at woodzy.com
Thu Jan 15 10:47:45 EST 2009
Using $_request is a no-no.
If lifetype absolutely needs it, one way to mitigate against this PHP
headache would be to assign $_request = array_merge($_get,$_post). [
http://us2.php.net/array_merge]
If your using it to get $_cookie values, change that code to specifically
look in that variable for it...
Then you won't suffer from the cookie overwrite situation.
-Matt
FYI. Take that bit of advice with the disclaimer that I usually consider
pages whose POST variables are accepted in POST or GET variables, to be a
vulnerability; since Cross Site Request Forgery is possible then.
On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <plogworld at jon.limedaley.com>wrote:
> Yes, this is a critical error, as we use $_REQUEST all over the
> place, so various things can be injected via cookies into the get and post
> streams. Anyone have some time to see how other folks went about solving
> this? Maybe the easiest thing is to remove cookie information from the
> REQUEST parameter? Some of the places we use $_REQUEST can simply be
> changed to $_GET (like for the page parameter - that isn't ever used via
> POST or COOKIE, right?)
> We do a bunch of overwriting the superglobals in the root directory,
> and that code looks kind of hard to modify.
>
> See the below links for more information:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
>
> http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/
>
>
>
> On Mon, 24 Nov 2008, Jon Daley wrote:
>
> Since every (I think?) blog software that is in debian just
>> released a security advisory... I haven't looked into it very carefully yet
>> - do we need to do something to fix LT as well? And perhaps we can borrow
>> some code from these patches?
>>
>> ---------- Forwarded message ----------
>> Date: Mon, 24 Nov 2008 02:04:52 +0100
>> From: secure-testing-team at lists.alioth.debian.org
>> To: debian-testing-security-announce at lists.debian.org
>> Subject: Security update for Debian Testing - 2008-11-24
>> Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)
>> Resent-From: debian-testing-security-announce at lists.debian.org
>>
>> This automatic mail gives an overview over security issues that were
>> recently
>> fixed in Debian Testing. The majority of fixed packages migrate to testing
>> from unstable. If this would take too long, fixed packages are uploaded to
>> the
>> testing-security repository instead. It can also happen that vulnerable
>> packages are removed from Debian testing.
>>
>> Migrated from unstable:
>> =======================
>> enscript 1.6.4-13:
>> CVE-2008-4306:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
>> http://bugs.debian.org/506261
>>
>> libxml2 2.6.32.dfsg-5:
>> CVE-2008-4225:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
>> CVE-2008-4226:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
>>
>> movabletype-opensource 4.2.1-3:
>> CVE-2008-4634:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634
>> http://bugs.debian.org/503114
>>
>> no-ip 2.1.7-11:
>> <no CVE yet> : no-ip DUC remote code execution
>> http://bugs.debian.org/506179
>>
>> typo3-src 4.2.3-1:
>> <no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"
>> http://bugs.debian.org/505324
>> <no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"
>> http://bugs.debian.org/505325
>> <no CVE yet> : typo3: passwords are not changeable bug in the backend
>> http://bugs.debian.org/505326
>>
>> wordpress 2.5.1-10:
>> CVE-2008-5113:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
>> http://bugs.debian.org/504771
>>
>>
>>
>> How to update:
>> --------------
>> Make sure the line
>>
>> deb http://security.debian.org lenny/updates main contrib non-free
>>
>> is present in your /etc/apt/sources.list. Of course, you also need the
>> line
>> pointing to your normal lenny mirror. You can use
>>
>> aptitude update && aptitude dist-upgrade
>>
>> to install the updates.
>>
>>
>> More information:
>> -----------------
>> More information about which security issues affect Debian can be found in
>> the
>> security tracker:
>>
>> http://security-tracker.debian.net/tracker/
>>
>> A list of all known unfixed security issues is at
>>
>> http://security-tracker.debian.net/tracker/status/release/testing
>>
>>
>>
>>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Quoting: the act of repeating erroneously the words of another.
> -- Ambrose Bierce
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20090115/d49c34d8/attachment.htm>
More information about the pLog-svn
mailing list