[pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)
Jon Daley
plogworld at jon.limedaley.com
Thu Jan 15 14:41:58 EST 2009
Maybe you know the code better than I do. I worked on it for a
while, and removed a couple easy places, but when I was working on getting
rid of the setRequest stuff, it looked like it was too likely to break
something. I was trying to remove the three xxxRequest functions, so then
there are a dozen places or so that use those functions.
On Fri, 16 Jan 2009, Mark Wu wrote:
> I check the code, there are only 2 scripts use $_REQUEST and seems easy to fix.
>
> Here comes the fix.
>
> One is httpvars.class.php and the other one is resserver.php.
>
> httpvars is a class wrapper of $_REQUEST, $_GET, $_POST, $_COOKIE and $_SESSION in lifetype.
>
> As long as we use Httpvars::getRequest() to get our own $request array, we won't get any problems.
>
> Mark
>
> _____________________________________________________________________________________________________________
> From: plog-svn-bounces at devel.lifetype.net [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> Matt Wood
> Sent: Thursday, January 15, 2009 11:48 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)
>
> Using $_request is a no-no.
>
> If lifetype absolutely needs it, one way to mitigate against this PHP headache would be to assign
> $_request = array_merge($_get,$_post). [http://us2.php.net/array_merge]
>
> If your using it to get $_cookie values, change that code to specifically look in that variable for
> it...
>
> Then you won't suffer from the cookie overwrite situation.
>
> -Matt
>
> FYI. Take that bit of advice with the disclaimer that I usually consider pages whose POST variables
> are accepted in POST or GET variables, to be a vulnerability; since Cross Site Request Forgery is
> possible then.
>
> On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <plogworld at jon.limedaley.com> wrote:
> Yes, this is a critical error, as we use $_REQUEST all over the place, so various
> things can be injected via cookies into the get and post streams. Anyone have some time
> to see how other folks went about solving this? Maybe the easiest thing is to remove
> cookie information from the REQUEST parameter? Some of the places we use $_REQUEST can
> simply be changed to $_GET (like for the page parameter - that isn't ever used via POST or
> COOKIE, right?)
> We do a bunch of overwriting the superglobals in the root directory, and that code
> looks kind of hard to modify.
>
> See the below links for more information:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
> http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/
>
>
>
> On Mon, 24 Nov 2008, Jon Daley wrote:
>
> Since every (I think?) blog software that is in debian just released a
> security advisory... I haven't looked into it very carefully yet - do we need to do
> something to fix LT as well? And perhaps we can borrow some code from these
> patches?
>
> ---------- Forwarded message ----------
> Date: Mon, 24 Nov 2008 02:04:52 +0100
> From: secure-testing-team at lists.alioth.debian.org
> To: debian-testing-security-announce at lists.debian.org
> Subject: Security update for Debian Testing - 2008-11-24
> Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)
> Resent-From: debian-testing-security-announce at lists.debian.org
>
> This automatic mail gives an overview over security issues that were recently
> fixed in Debian Testing. The majority of fixed packages migrate to testing
> from unstable. If this would take too long, fixed packages are uploaded to the
> testing-security repository instead. It can also happen that vulnerable
> packages are removed from Debian testing.
>
> Migrated from unstable:
> =======================
> enscript 1.6.4-13:
> CVE-2008-4306: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
> http://bugs.debian.org/506261
>
> libxml2 2.6.32.dfsg-5:
> CVE-2008-4225: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
> CVE-2008-4226: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
>
> movabletype-opensource 4.2.1-3:
> CVE-2008-4634: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634
> http://bugs.debian.org/503114
>
> no-ip 2.1.7-11:
> <no CVE yet> : no-ip DUC remote code execution
> http://bugs.debian.org/506179
>
> typo3-src 4.2.3-1:
> <no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"
> http://bugs.debian.org/505324
> <no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"
> http://bugs.debian.org/505325
> <no CVE yet> : typo3: passwords are not changeable bug in the backend
> http://bugs.debian.org/505326
>
> wordpress 2.5.1-10:
> CVE-2008-5113: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
> http://bugs.debian.org/504771
>
>
>
> How to update:
> --------------
> Make sure the line
>
> deb http://security.debian.org lenny/updates main contrib non-free
>
> is present in your /etc/apt/sources.list. Of course, you also need the line
> pointing to your normal lenny mirror. You can use
>
> aptitude update && aptitude dist-upgrade
>
> to install the updates.
>
>
> More information:
> -----------------
> More information about which security issues affect Debian can be found in the
> security tracker:
>
> http://security-tracker.debian.net/tracker/
>
> A list of all known unfixed security issues is at
>
> http://security-tracker.debian.net/tracker/status/release/testing
>
>
>
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Quoting: the act of repeating erroneously the words of another.
> -- Ambrose Bierce
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
If I don't see you in the future, I'll see you in the pasture.
More information about the pLog-svn
mailing list