<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16788" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2>I check the code, there are only 2 scripts use
$_REQUEST and seems easy to fix. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><FONT face=新細明體><FONT size=2><FONT color=#0000ff><SPAN
class=625353116-15012009></SPAN><SPAN class=625353116-15012009>Here comes the
fix.</SPAN></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><FONT face=新細明體><FONT size=2><FONT color=#0000ff><SPAN
class=625353116-15012009></SPAN></FONT></FONT></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2>One is httpvars.class.php and the other one is
resserver.php.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2>httpvars is a class wrapper of $_REQUEST, $_GET, $_POST,
$_COOKIE and $_SESSION in lifetype.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2>As long as we use Httpvars::getRequest() to get our own
$request array, we won't get any problems.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=625353116-15012009><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Matt
Wood<BR><B>Sent:</B> Thursday, January 15, 2009 11:48 PM<BR><B>To:</B> LifeType
Developer List<BR><B>Subject:</B> Re: [pLog-svn] Security update for Debian
Testing - 2008-11-24 (fwd)<BR></FONT><BR></DIV>
<DIV></DIV>Using $_request is a no-no.<BR><BR>If lifetype absolutely needs it,
one way to mitigate against this PHP headache would be to assign $_request =
array_merge($_get,$_post). [<A
href="http://us2.php.net/array_merge">http://us2.php.net/array_merge</A>]<BR><BR>If
your using it to get $_cookie values, change that code to specifically look in
that variable for it...<BR><BR>Then you won't suffer from the cookie overwrite
situation.<BR><BR>-Matt<BR><BR>FYI. Take that bit of advice with the disclaimer
that I usually consider pages whose POST variables are accepted in POST or GET
variables, to be a vulnerability; since Cross Site Request Forgery is possible
then.<BR><BR>
<DIV class=gmail_quote>On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <SPAN
dir=ltr><<A
href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
Yes, this is a critical error, as we use $_REQUEST all
over the place, so various things can be injected via cookies into the get and
post streams. Anyone have some time to see how other folks went about
solving this? Maybe the easiest thing is to remove cookie information
from the REQUEST parameter? Some of the places we use $_REQUEST can
simply be changed to $_GET (like for the page parameter - that isn't ever used
via POST or COOKIE, right?)<BR> We do a bunch of
overwriting the superglobals in the root directory, and that code looks kind
of hard to modify.<BR><BR>See the below links for more information:<BR><BR><A
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771"
target=_blank>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771</A><BR><A
href="http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/"
target=_blank>http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/</A>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR><BR><BR>On Mon, 24 Nov 2008, Jon Daley wrote:<BR><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
Since every (I think?) blog software that is in debian
just released a security advisory... I haven't looked into it very
carefully yet - do we need to do something to fix LT as well? And
perhaps we can borrow some code from these patches?<BR><BR>----------
Forwarded message ----------<BR>Date: Mon, 24 Nov 2008 02:04:52
+0100<BR>From: <A href="mailto:secure-testing-team@lists.alioth.debian.org"
target=_blank>secure-testing-team@lists.alioth.debian.org</A><BR>To: <A
href="mailto:debian-testing-security-announce@lists.debian.org"
target=_blank>debian-testing-security-announce@lists.debian.org</A><BR>Subject:
Security update for Debian Testing - 2008-11-24<BR>Resent-Date: Mon, 24 Nov
2008 01:05:05 +0000 (UTC)<BR>Resent-From: <A
href="mailto:debian-testing-security-announce@lists.debian.org"
target=_blank>debian-testing-security-announce@lists.debian.org</A><BR><BR>This
automatic mail gives an overview over security issues that were
recently<BR>fixed in Debian Testing. The majority of fixed packages migrate
to testing<BR>from unstable. If this would take too long, fixed packages are
uploaded to the<BR>testing-security repository instead. It can also happen
that vulnerable<BR>packages are removed from Debian testing.<BR><BR>Migrated
from unstable:<BR>=======================<BR>enscript
1.6.4-13:<BR>CVE-2008-4306: <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306"
target=_blank>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306</A><BR>
<A
href="http://bugs.debian.org/506261"
target=_blank>http://bugs.debian.org/506261</A><BR><BR>libxml2
2.6.32.dfsg-5:<BR>CVE-2008-4225: <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225"
target=_blank>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225</A><BR>CVE-2008-4226:
<A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226"
target=_blank>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226</A><BR><BR>movabletype-opensource
4.2.1-3:<BR>CVE-2008-4634: <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634"
target=_blank>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634</A><BR>
<A
href="http://bugs.debian.org/503114"
target=_blank>http://bugs.debian.org/503114</A><BR><BR>no-ip
2.1.7-11:<BR><no CVE yet> : no-ip DUC remote code execution<BR>
<A
href="http://bugs.debian.org/506179"
target=_blank>http://bugs.debian.org/506179</A><BR><BR>typo3-src
4.2.3-1:<BR><no CVE yet> : typo3: XSS vulnerability in Typo3
backendmodul "fileadmin"<BR>
<A href="http://bugs.debian.org/505324"
target=_blank>http://bugs.debian.org/505324</A><BR><no CVE yet> :
typo3: XSS vulnerability in Typo3 sysext "felogin"<BR>
<A href="http://bugs.debian.org/505325"
target=_blank>http://bugs.debian.org/505325</A><BR><no CVE yet> :
typo3: passwords are not changeable bug in the backend<BR>
<A href="http://bugs.debian.org/505326"
target=_blank>http://bugs.debian.org/505326</A><BR><BR>wordpress
2.5.1-10:<BR>CVE-2008-5113: <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113"
target=_blank>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113</A><BR>
<A
href="http://bugs.debian.org/504771"
target=_blank>http://bugs.debian.org/504771</A><BR><BR><BR><BR>How to
update:<BR>--------------<BR>Make sure the line<BR><BR>
deb <A href="http://security.debian.org"
target=_blank>http://security.debian.org</A> lenny/updates main contrib
non-free<BR><BR>is present in your /etc/apt/sources.list. Of course, you
also need the line<BR>pointing to your normal lenny mirror. You can
use<BR><BR> aptitude update && aptitude
dist-upgrade<BR><BR>to install the updates.<BR><BR><BR>More
information:<BR>-----------------<BR>More information about which security
issues affect Debian can be found in the<BR>security tracker:<BR><BR>
<A href="http://security-tracker.debian.net/tracker/"
target=_blank>http://security-tracker.debian.net/tracker/</A><BR><BR>A list
of all known unfixed security issues is at<BR><BR>
<A
href="http://security-tracker.debian.net/tracker/status/release/testing"
target=_blank>http://security-tracker.debian.net/tracker/status/release/testing</A><BR><BR><BR><BR></BLOCKQUOTE><BR>--
<BR></DIV></DIV><FONT color=#888888>Jon Daley<BR><A
href="http://jon.limedaley.com"
target=_blank>http://jon.limedaley.com</A><BR>~~<BR>Quoting: the act of
repeating erroneously the words of another.<BR>-- Ambrose Bierce</FONT>
<DIV>
<DIV></DIV>
<DIV
class=Wj3C7c><BR>_______________________________________________<BR>pLog-svn
mailing list<BR><A href="mailto:pLog-svn@devel.lifetype.net"
target=_blank>pLog-svn@devel.lifetype.net</A><BR><A
href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BODY></HTML>