Debian Bug report logs - #301118
phpsysinfo: Various full path disclosure and cross-site-scripting issues

version graph

Package: phpsysinfo; Maintainer for phpsysinfo is Bjoern Boschman <bjoern@boschman.de>; Source for phpsysinfo is src:phpsysinfo.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 23 Mar 2005 21:33:02 UTC

Severity: grave

Tags: security

Fixed in version phpsysinfo/2.3-3

Done: Frederik Schüler <fschueler@gmx.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Frederik Schüler <fschueler@gmx.net>:
Bug#301118; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Frederik Schüler <fschueler@gmx.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpsysinfo: Various full path disclosure and cross-site-scripting issues
Date: Wed, 23 Mar 2005 22:18:56 +0100
Package: phpsysinfo
Severity: important
Tags: security

Maksymilian Arciemowicz from securityreason.com reported several full path
disclosure and XSS issues in phpsysinfo. I'm copying the verbose advisory
below as it doesn't appear on the website yet. It contains a link to a 
website with fixed sources.

Cheers,
        Moritz

- --- 0.Description ---
PHPSysInfo 2.3 is a customizable PHP Script that parses /proc, and formats information nicely. It will display information about+system facts like Uptime, CPU, Memory, PCI devices, SCSI devices, IDE devices, Network adapters, Disk usage, and more.


- --- 1. Full Path Disclosure ---
1.0
http://[host]/[DIR]/includes/os/class.OpenBSD.inc.php
Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.OpenBSD.inc.php on line 22

Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.OpenBSD.inc.php on line 22
- ---------------

1.1
http://[host]/[DIR]/includes/os/class.NetBSD.inc.php

Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.NetBSD.inc.php on line 22

Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.NetBSD.inc.php on line 22
- ---------------

1.2
http://[host]/[DIR]/includes/os/class.FreeBSD.inc.php

Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.FreeBSD.inc.php on line 22

Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.FreeBSD.inc.php on line 22
- ---------------

1.3
http://[host]/[DIR]/includes/os/class.Darwin.inc.php

Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.Darwin.inc.php on line 22

Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.Darwin.inc.php on line 22
- ---------------

1.4
http://[host]/[DIR]/includes/XPath.class.php

Error message :
- ---------------
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056

Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056

Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056

...

Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974

Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974

Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974
- ---------------


1.5
http://[host]/[DIR]/includes/system_header.php

Error message :
- ---------------
Fatal error: Call to undefined function created_by() in /www/phpsysinfo-dev/includes/system_header.php on line 39
- ---------------

1.6
http://[host]/[DIR]/includes/system_footer.php

Error message :
- ---------------
Warning: opendir(templates/) [function.opendir]: failed to open dir: No such file or directory in
+/www/phpsysinfo-dev/includes/system_footer.php on line 21

Warning: readdir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 22

Warning: closedir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 27

Warning: asort() expects parameter 1 to be array, null given in /www/phpsysinfo-dev/includes/system_footer.php on line 29

Warning: Variable passed to each() is not an array or object in /www/phpsysinfo-dev/includes/system_footer.php on line 31

Warning: opendir(includes/lang/) [function.opendir]: failed to open dir: No such file or directory in
+/www/phpsysinfo-dev/includes/system_footer.php on line 53

Warning: readdir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 54

Warning: closedir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 59

Warning: asort() expects parameter 1 to be array, null given in /www/phpsysinfo-dev/includes/system_footer.php on line 61

Warning: Variable passed to each() is not an array or object in /www/phpsysinfo-dev/includes/system_footer.php on line 63
- ---------------


- --- 2. XSS aka Cross Site Scripting ---
if register_globals=On :

2.0
http://[host]/[DIR]/index.php?sensor_program=[XSS]

2.1

http://[host]/[DIR]/includes/system_footer.php?text[language]=">[XSS]

http://[host]/[DIR]/includes/system_footer.php?text[template]=">[XSS]

http://[host]/[DIR]/includes/system_footer.php?hide_picklist=cXIb8O3&VERSION=<iframe src=http://securityreason.com>

etc.


- --- 3. How to fix ---

Download my patch.
http://securityreason.com/patch/phpSysInfo-2.3.patch.by.cXIb8O3.tar.gz

- --- 4. Greets ---

sp3x.

good adv.. => coming soon....

- --- 5.Contact ---
Author: Maksymilian Arciemowicz ( cXIb8O3 )
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://www.securityreason.com

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>:
Bug#301118; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>. Full text and rfc822 format available.

Message #10 received at 301118@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 301118@bugs.debian.org
Subject: Re: Bug#301118: phpsysinfo: Various full path disclosure and cross-site-scripting issues
Date: Wed, 23 Mar 2005 21:55:58 +0000
On Wed, Mar 23, 2005 at 10:18:56PM +0100, Moritz Muehlenhoff wrote:
> Package: phpsysinfo
> Severity: important
> Tags: security
> 
> Maksymilian Arciemowicz from securityreason.com reported several full path
> disclosure and XSS issues in phpsysinfo. I'm copying the verbose advisory
> below as it doesn't appear on the website yet. 

> It contains a link to a website with fixed sources.

  The fixed link is a full source distribution, rather than a context
 diff.

  But I can confirm that woody is vulnerable to these issues.

Steve
--



Severity set to `grave'. Request was from Frederik Schueler <fs@lowpingbastards.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>:
Bug#301118; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Peter Thomassen <info@peter-thomassen.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>. Full text and rfc822 format available.

Message #17 received at 301118@bugs.debian.org (full text, mbox):

From: Peter Thomassen <info@peter-thomassen.de>
To: 301118@bugs.debian.org
Subject: Why is this a problem?
Date: Tue, 29 Mar 2005 22:10:38 +0200
[Message part 1 (text/plain, inline)]
Why is this a (grave) problem? Everybody can find out where dpkg installs 
phpsysinfo anyway.
-- 
      Peter Thomassen • Steigerwaldstr. 4 • 97076 Würzburg • Germany
         http://www.peter-thomassen.de/ • info@peter-thomassen.de
               fon +49-931-2705351 • mobile +49-160-6789161
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>:
Bug#301118; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>. Full text and rfc822 format available.

Message #22 received at 301118@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 301118@bugs.debian.org
Subject: why this bug is grave
Date: Wed, 30 Mar 2005 20:43:11 -1000
[Message part 1 (text/plain, inline)]
This bug is grave because of the XSS issues, at least.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>:
Bug#301118; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Frederik Schueler <fs@lowpingbastards.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>. Full text and rfc822 format available.

Message #27 received at 301118@bugs.debian.org (full text, mbox):

From: Frederik Schueler <fs@lowpingbastards.de>
To: control@bugs.debian.org, 301118@bugs.debian.org
Subject: pending upload
Date: Thu, 31 Mar 2005 09:16:08 +0200
[Message part 1 (text/plain, inline)]
tags 301118 pending
thanks

Hello,

I asked my sponsor to upload a new version to sid, and provided a patch
for the woody version to the security team. 

Updated sid/sarge packages can be found here:

deb[-src] http://213.178.77.236/phpsysinfo/ ./

the debdiff for phpsysinfo 2.0 (woody version) is attached.

Kind regards
Frederik Schueler

-- 
ENOSIG
[woody.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Frederik Schueler <fs@lowpingbastards.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Frederik Schüler <fschueler@gmx.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 301118-close@bugs.debian.org (full text, mbox):

From: Frederik Schüler <fschueler@gmx.net>
To: 301118-close@bugs.debian.org
Subject: Bug#301118: fixed in phpsysinfo 2.3-3
Date: Tue, 05 Apr 2005 18:48:18 -0400
Source: phpsysinfo
Source-Version: 2.3-3

We believe that the bug you reported is fixed in the latest version of
phpsysinfo, which is due to be installed in the Debian FTP archive:

phpsysinfo_2.3-3.diff.gz
  to pool/main/p/phpsysinfo/phpsysinfo_2.3-3.diff.gz
phpsysinfo_2.3-3.dsc
  to pool/main/p/phpsysinfo/phpsysinfo_2.3-3.dsc
phpsysinfo_2.3-3_all.deb
  to pool/main/p/phpsysinfo/phpsysinfo_2.3-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 301118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederik Schüler <fschueler@gmx.net> (supplier of updated phpsysinfo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 29 Mar 2005 11:11:03 +0200
Source: phpsysinfo
Binary: phpsysinfo
Architecture: source all
Version: 2.3-3
Distribution: unstable
Urgency: high
Maintainer: Frederik Schüler <fschueler@gmx.net>
Changed-By: Frederik Schüler <fschueler@gmx.net>
Description: 
 phpsysinfo - PHP based host information
Closes: 297674 301118
Changes: 
 phpsysinfo (2.3-3) unstable; urgency=high
 .
   * Urgency: high because this release fixes a security issue.
   * Added xss.diff top fix cross-site-scripting security bug, closes: #301118
   * Adapted dependencies list, closes: #297674
   * Added setini.diff to ensure register_globals and magic_quotes_runtime are
     disabled.
Files: 
 abc1e082d2b4b4e6a266f517a9a76714 584 web optional phpsysinfo_2.3-3.dsc
 05c70f020423b9b2c605d9df1591a45b 7929 web optional phpsysinfo_2.3-3.diff.gz
 46584cb50c1bfd89f1535b720039e731 164390 web optional phpsysinfo_2.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCUxU12tp5zXiKP0wRAuFNAJ4l8rDwLm9XmTjJBokt8OU22L33KwCfbrRG
v47sfmWOY47KQLwZvY2Piao=
=jUui
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 07:33:46 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.