[pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)

Matt Wood matt at woodzy.com
Thu Jan 15 10:47:45 EST 2009 

Using $_request is a no-no.

If lifetype absolutely needs it, one way to mitigate against this PHP
headache would be to assign $_request = array_merge($_get,$_post). [
http://us2.php.net/array_merge]

If your using it to get $_cookie values, change that code to specifically
look in that variable for it...

Then you won't suffer from the cookie overwrite situation.

-Matt

FYI. Take that bit of advice with the disclaimer that I usually consider
pages whose POST variables are accepted in POST or GET variables, to be a
vulnerability; since Cross Site Request Forgery is possible then.

On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <plogworld at jon.limedaley.com>wrote:

>        Yes, this is a critical error, as we use $_REQUEST all over the
> place, so various things can be injected via cookies into the get and post
> streams.  Anyone have some time to see how other folks went about solving
> this?  Maybe the easiest thing is to remove cookie information from the
> REQUEST parameter?  Some of the places we use $_REQUEST can simply be
> changed to $_GET (like for the page parameter - that isn't ever used via
> POST or COOKIE, right?)
>        We do a bunch of overwriting the superglobals in the root directory,
> and that code looks kind of hard to modify.
>
> See the below links for more information:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
>
> http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/
>
>
>
> On Mon, 24 Nov 2008, Jon Daley wrote:
>
>         Since every (I think?) blog software that is in debian just
>> released a security advisory...  I haven't looked into it very carefully yet
>> - do we need to do something to fix LT as well?  And perhaps we can borrow
>> some code from these patches?
>>
>> ---------- Forwarded message ----------
>> Date: Mon, 24 Nov 2008 02:04:52 +0100
>> From: secure-testing-team at lists.alioth.debian.org
>> To: debian-testing-security-announce at lists.debian.org
>> Subject: Security update for Debian Testing - 2008-11-24
>> Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)
>> Resent-From: debian-testing-security-announce at lists.debian.org
>>
>> This automatic mail gives an overview over security issues that were
>> recently
>> fixed in Debian Testing. The majority of fixed packages migrate to testing
>> from unstable. If this would take too long, fixed packages are uploaded to
>> the
>> testing-security repository instead. It can also happen that vulnerable
>> packages are removed from Debian testing.
>>
>> Migrated from unstable:
>> =======================
>> enscript 1.6.4-13:
>> CVE-2008-4306:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
>>              http://bugs.debian.org/506261
>>
>> libxml2 2.6.32.dfsg-5:
>> CVE-2008-4225:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
>> CVE-2008-4226:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
>>
>> movabletype-opensource 4.2.1-3:
>> CVE-2008-4634:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634
>>              http://bugs.debian.org/503114
>>
>> no-ip 2.1.7-11:
>> <no CVE yet> : no-ip DUC remote code execution
>>              http://bugs.debian.org/506179
>>
>> typo3-src 4.2.3-1:
>> <no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"
>>              http://bugs.debian.org/505324
>> <no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"
>>              http://bugs.debian.org/505325
>> <no CVE yet> : typo3: passwords are not changeable bug in the backend
>>              http://bugs.debian.org/505326
>>
>> wordpress 2.5.1-10:
>> CVE-2008-5113:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
>>              http://bugs.debian.org/504771
>>
>>
>>
>> How to update:
>> --------------
>> Make sure the line
>>
>>        deb http://security.debian.org lenny/updates main contrib non-free
>>
>> is present in your /etc/apt/sources.list. Of course, you also need the
>> line
>> pointing to your normal lenny mirror. You can use
>>
>>        aptitude update && aptitude dist-upgrade
>>
>> to install the updates.
>>
>>
>> More information:
>> -----------------
>> More information about which security issues affect Debian can be found in
>> the
>> security tracker:
>>
>>        http://security-tracker.debian.net/tracker/
>>
>> A list of all known unfixed security issues is at
>>
>>        http://security-tracker.debian.net/tracker/status/release/testing
>>
>>
>>
>>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Quoting: the act of repeating erroneously the words of another.
> -- Ambrose Bierce
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20090115/d49c34d8/attachment.htm>

More information about the pLog-svn mailing list