[pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)

Thu Jan 15 11:36:07 EST 2009

I check the code, there are only 2 scripts use $_REQUEST and seems easy to
fix. 

Here comes the fix.

One is httpvars.class.php and the other one is resserver.php.

httpvars is a class wrapper of $_REQUEST, $_GET, $_POST, $_COOKIE and
$_SESSION in lifetype.

As long as we use Httpvars::getRequest() to get our own $request array, we
won't get any problems.

Mark

  _____  

From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
Sent: Thursday, January 15, 2009 11:48 PM
To: LifeType Developer List
Subject: Re: [pLog-svn] Security update for Debian Testing - 2008-11-24
(fwd)

Using $_request is a no-no.

If lifetype absolutely needs it, one way to mitigate against this PHP
headache would be to assign $_request = array_merge($_get,$_post).
[http://us2.php.net/array_merge]

If your using it to get $_cookie values, change that code to specifically
look in that variable for it...

Then you won't suffer from the cookie overwrite situation.

-Matt

FYI. Take that bit of advice with the disclaimer that I usually consider
pages whose POST variables are accepted in POST or GET variables, to be a
vulnerability; since Cross Site Request Forgery is possible then.

On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <plogworld at jon.limedaley.com>
wrote:

       Yes, this is a critical error, as we use $_REQUEST all over the
place, so various things can be injected via cookies into the get and post
streams.  Anyone have some time to see how other folks went about solving
this?  Maybe the easiest thing is to remove cookie information from the
REQUEST parameter?  Some of the places we use $_REQUEST can simply be
changed to $_GET (like for the page parameter - that isn't ever used via
POST or COOKIE, right?)
       We do a bunch of overwriting the superglobals in the root directory,
and that code looks kind of hard to modify.

See the below links for more information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variabl
e/ 

On Mon, 24 Nov 2008, Jon Daley wrote:

       Since every (I think?) blog software that is in debian just released
a security advisory...  I haven't looked into it very carefully yet - do we
need to do something to fix LT as well?  And perhaps we can borrow some code
from these patches?

---------- Forwarded message ----------
Date: Mon, 24 Nov 2008 02:04:52 +0100
From: secure-testing-team at lists.alioth.debian.org
To: debian-testing-security-announce at lists.debian.org
Subject: Security update for Debian Testing - 2008-11-24
Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)
Resent-From: debian-testing-security-announce at lists.debian.org

This automatic mail gives an overview over security issues that were
recently
fixed in Debian Testing. The majority of fixed packages migrate to testing
from unstable. If this would take too long, fixed packages are uploaded to
the
testing-security repository instead. It can also happen that vulnerable
packages are removed from Debian testing.

Migrated from unstable:
=======================
enscript 1.6.4-13:
CVE-2008-4306: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
             http://bugs.debian.org/506261

libxml2 2.6.32.dfsg-5:
CVE-2008-4225: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
CVE-2008-4226: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226

movabletype-opensource 4.2.1-3:
CVE-2008-4634: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634
             http://bugs.debian.org/503114

no-ip 2.1.7-11:
<no CVE yet> : no-ip DUC remote code execution
             http://bugs.debian.org/506179

typo3-src 4.2.3-1:
<no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"
             http://bugs.debian.org/505324
<no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"
             http://bugs.debian.org/505325
<no CVE yet> : typo3: passwords are not changeable bug in the backend
             http://bugs.debian.org/505326

wordpress 2.5.1-10:
CVE-2008-5113: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
             http://bugs.debian.org/504771

How to update:
--------------
Make sure the line

       deb http://security.debian.org lenny/updates main contrib non-free

is present in your /etc/apt/sources.list. Of course, you also need the line
pointing to your normal lenny mirror. You can use

       aptitude update && aptitude dist-upgrade

to install the updates.

More information:
-----------------
More information about which security issues affect Debian can be found in
the
security tracker:

       http://security-tracker.debian.net/tracker/

A list of all known unfixed security issues is at

       http://security-tracker.debian.net/tracker/status/release/testing

-- 

Jon Daley
http://jon.limedaley.com
~~
Quoting: the act of repeating erroneously the words of another.
-- Ambrose Bierce 

_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20090116/6982bac8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpvars.class.php
Type: application/octet-stream
Size: 7985 bytes
Desc: not available
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20090116/6982bac8/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: resserver.php
Type: application/octet-stream
Size: 963 bytes
Desc: not available
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20090116/6982bac8/attachment-0003.obj>