[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685:
|
From: |
Dave Hall |
|
Subject: |
Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?] |
|
Date: |
Thu, 27 Mar 2008 10:45:26 +0000 |
Hi Olivier,
I thought I would reply publicly here in addition to my email last night
my time.
On Wed, 2008-03-26 at 12:21 +0100, Olivier Berger wrote:
> Hi.
>
> I'm trying to understand if/how the code in 0.9.16.011 was indeed
> vulnerable concerning the phpsysinfo XSS vulnerability...
>
> Can you please enlighten me (privately, if details are sensitive) ?
>
> My impression is that the Debian package was after all not vulnerable...
> as the phpsysinfo footer shouldn't have been called directly, the
> phpsysinfo being wrapped by phpgroupware... Or I have it all wrong on
> how the XSS works... or the proposed patch for a fix for Debian was
> useless... or... I'm a bit lost ;)
After looking into this, we weren't vulnerable in the first place - oh
the joys of jumping at shadows when you are under resourced.
I looked at the old code - scary stuff. The fix proposed in
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936
should be used for debian (old)stable just to be sure. The 0.9.16.012 release
updated phpsysinfo to 2.5.4 from upstream (with some mods), to keep our code in
sync.
Thanks for picking this up.
Just so people are clear CVE-2007-4048 was not exploitable when running
phpsysinfo from within phpGroupWare. In 0.9.16.012 you got an updated
(and more secure) version of phpsysinfo.
> Btw, if there's a security related list, it may be worth being on board
> as soon as possible to be able to prepare patchs and so on for the
> Debian package...
There isn't such a list. What I usually try to grab our packagers to
let them know what is happening in advance - by a couple of hours. I am
happy to try to provide security only patches on request, or give you a
list of svn revision/s to grab.
Cheers
Dave
--
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e address@hidden
w phpgroupware.org
j address@hidden
sip address@hidden
_ ____ __ __
_ __ | |__ _ __ / ___|_ __ ___ _ _ _ _\ \ / /_ _ _ __ ___
| '_ \| '_ \| '_ \| | _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V V / (_| | | | __/
| .__/|_| |_| .__/ \____|_| \___/ \__,_| .__/ \_/\_/ \__,_|_| \___|
|_| |_| |_|Web based collaboration platform