[phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?]

[Olivier Berger]

Hi.

I'm trying to understand if/how the code in 0.9.16.011 was indeed
vulnerable concerning the phpsysinfo XSS vulnerability...

Can you please enlighten me (privately, if details are sensitive) ?

My impression is that the Debian package was after all not vulnerable...
as the phpsysinfo footer shouldn't have been called directly, the
phpsysinfo being wrapped by phpgroupware... Or I have it all wrong on
how the XSS works... or the proposed patch for a fix for Debian was
useless... or... I'm a bit lost ;)

See a copy of a message I just sent to the Debian BTS (full thread :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472685 )

Btw, if there's a security related list, it may be worth being on board
as soon as possible to be able to prepare patchs and so on for the
Debian package...

Many thanks in advance.

-------- Message transféré --------
De: Olivier Berger <address@hidden>
À: address@hidden
Sujet: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS
vulnerability, still no fix provided for stable/etch ?
Date: Wed, 26 Mar 2008 11:40:15 +0100

Le mardi 25 mars 2008 à 19:14 +0100, Olivier Berger a écrit :
> 
> It looks to me as if bug #435936 wasn't completely fixed for
> etch/stable (considering
> http://security-tracker.debian.net/tracker/CVE-2007-4048, thanks to
> Thomas Viehmann for pointing this out).

SNIP

> Anyway, I think that the fix proposed in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936
>  should apply to 0.9.16.011-2.2 too.
> 

SNIP

> Will try and propose a fix as soon as possible... but considering the
> long period during which eventual stable installations of
> phpgroupware-phpsysinfo have been vulnerable (if it indeed applies to
> the stable version), I suppose harm is already done, so I'm not sure
> there's a cas of emergency here:(

Having had a closer look at the phpsysinfo integration in phpgroupware
in etch, I'm not so sure it was even a problem, since I cannot exactly
understand how the vulnerable code could have been executed. It is
located in the phpsysinfo footer and I only see ways to have the
standard phpgroupware footer displayed... but I'm not so much aware of
the XSS mechanism involved here. 

Anyway, assuming that the fix for #435936 was indeed necessary, here's
an attached patch that should fix it for the stable version too.

Maybe I'll get in touch with upstream to try and get a clearer view.

I'll also read the reference on security and NMUs to check what could be
the next steps.

Regards,

--- system_footer.php.orig      2008-03-26 11:14:09.000000000 +0100
+++ system_footer.php   2008-03-26 11:32:26.000000000 +0100
@@ -25,7 +25,7 @@
 
 echo "<center>";
 
-$update_form = "<form method=\"POST\" action=\"$PHP_SELF\">\n"
+$update_form = "<form method=\"POST\" action=\"" . 
htmlentities($_SERVER['PHP_SELF']) . "\">\n" 
              . "\t" . $text['template'] . ":&nbsp;\n"
              . "\t<select name=\"template\">\n";
 


-- 
Olivier BERGER <address@hidden> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), 
Evry