Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Frederik Schüler <fschueler@gmx.net>: Bug#301118; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Frederik Schüler <fschueler@gmx.net>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpsysinfo: Various full path disclosure and cross-site-scripting issues
Date: Wed, 23 Mar 2005 22:18:56 +0100
Package: phpsysinfo
Severity: important
Tags: security
Maksymilian Arciemowicz from securityreason.com reported several full path
disclosure and XSS issues in phpsysinfo. I'm copying the verbose advisory
below as it doesn't appear on the website yet. It contains a link to a
website with fixed sources.
Cheers,
Moritz
- --- 0.Description ---
PHPSysInfo 2.3 is a customizable PHP Script that parses /proc, and formats information nicely. It will display information about+system facts like Uptime, CPU, Memory, PCI devices, SCSI devices, IDE devices, Network adapters, Disk usage, and more.
- --- 1. Full Path Disclosure ---
1.0
http://[host]/[DIR]/includes/os/class.OpenBSD.inc.php
Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.OpenBSD.inc.php on line 22
Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.OpenBSD.inc.php on line 22
- ---------------
1.1
http://[host]/[DIR]/includes/os/class.NetBSD.inc.php
Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.NetBSD.inc.php on line 22
Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.NetBSD.inc.php on line 22
- ---------------
1.2
http://[host]/[DIR]/includes/os/class.FreeBSD.inc.php
Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.FreeBSD.inc.php on line 22
Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.FreeBSD.inc.php on line 22
- ---------------
1.3
http://[host]/[DIR]/includes/os/class.Darwin.inc.php
Error message :
- ---------------
Warning: main(./includes/os/class.BSD.common.inc.php) [function.main]: failed to open stream: No such file or directory in
+/www/phpsysinfo-dev/includes/os/class.Darwin.inc.php on line 22
Fatal error: main() [function.require]: Failed opening required './includes/os/class.BSD.common.inc.php' (include_path='.:') in
+/www/phpsysinfo-dev/includes/os/class.Darwin.inc.php on line 22
- ---------------
1.4
http://[host]/[DIR]/includes/XPath.class.php
Error message :
- ---------------
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 5056
...
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /www/phpsysinfo-dev/includes/XPath.class.php on
+line 4974
- ---------------
1.5
http://[host]/[DIR]/includes/system_header.php
Error message :
- ---------------
Fatal error: Call to undefined function created_by() in /www/phpsysinfo-dev/includes/system_header.php on line 39
- ---------------
1.6
http://[host]/[DIR]/includes/system_footer.php
Error message :
- ---------------
Warning: opendir(templates/) [function.opendir]: failed to open dir: No such file or directory in
+/www/phpsysinfo-dev/includes/system_footer.php on line 21
Warning: readdir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 22
Warning: closedir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 27
Warning: asort() expects parameter 1 to be array, null given in /www/phpsysinfo-dev/includes/system_footer.php on line 29
Warning: Variable passed to each() is not an array or object in /www/phpsysinfo-dev/includes/system_footer.php on line 31
Warning: opendir(includes/lang/) [function.opendir]: failed to open dir: No such file or directory in
+/www/phpsysinfo-dev/includes/system_footer.php on line 53
Warning: readdir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 54
Warning: closedir(): supplied argument is not a valid Directory resource in /www/phpsysinfo-dev/includes/system_footer.php on
+line 59
Warning: asort() expects parameter 1 to be array, null given in /www/phpsysinfo-dev/includes/system_footer.php on line 61
Warning: Variable passed to each() is not an array or object in /www/phpsysinfo-dev/includes/system_footer.php on line 63
- ---------------
- --- 2. XSS aka Cross Site Scripting ---
if register_globals=On :
2.0
http://[host]/[DIR]/index.php?sensor_program=[XSS]
2.1
http://[host]/[DIR]/includes/system_footer.php?text[language]=">[XSS]http://[host]/[DIR]/includes/system_footer.php?text[template]=">[XSS]http://[host]/[DIR]/includes/system_footer.php?hide_picklist=cXIb8O3&VERSION=<iframe src=http://securityreason.com>
etc.
- --- 3. How to fix ---
Download my patch.
http://securityreason.com/patch/phpSysInfo-2.3.patch.by.cXIb8O3.tar.gz
- --- 4. Greets ---
sp3x.
good adv.. => coming soon....
- --- 5.Contact ---
Author: Maksymilian Arciemowicz ( cXIb8O3 )
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://www.securityreason.com
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>: Bug#301118; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>.
(full text, mbox, link).
To: Moritz Muehlenhoff <jmm@inutil.org>, 301118@bugs.debian.org
Subject: Re: Bug#301118: phpsysinfo: Various full path disclosure and cross-site-scripting issues
Date: Wed, 23 Mar 2005 21:55:58 +0000
On Wed, Mar 23, 2005 at 10:18:56PM +0100, Moritz Muehlenhoff wrote:
> Package: phpsysinfo
> Severity: important
> Tags: security
>
> Maksymilian Arciemowicz from securityreason.com reported several full path
> disclosure and XSS issues in phpsysinfo. I'm copying the verbose advisory
> below as it doesn't appear on the website yet.
> It contains a link to a website with fixed sources.
The fixed link is a full source distribution, rather than a context
diff.
But I can confirm that woody is vulnerable to these issues.
Steve
--
Severity set to `grave'.
Request was from Frederik Schueler <fs@lowpingbastards.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>: Bug#301118; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Peter Thomassen <info@peter-thomassen.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>.
(full text, mbox, link).
Why is this a (grave) problem? Everybody can find out where dpkg installs
phpsysinfo anyway.
--
Peter Thomassen • Steigerwaldstr. 4 • 97076 Würzburg • Germany
http://www.peter-thomassen.de/ • info@peter-thomassen.de
fon +49-931-2705351 • mobile +49-160-6789161
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>: Bug#301118; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fschueler@gmx.net>: Bug#301118; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Frederik Schueler <fs@lowpingbastards.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fschueler@gmx.net>.
(full text, mbox, link).
tags 301118 pending
thanks
Hello,
I asked my sponsor to upload a new version to sid, and provided a patch
for the woody version to the security team.
Updated sid/sarge packages can be found here:
deb[-src] http://213.178.77.236/phpsysinfo/ ./
the debdiff for phpsysinfo 2.0 (woody version) is attached.
Kind regards
Frederik Schueler
--
ENOSIG
Source: phpsysinfo
Source-Version: 2.3-3
We believe that the bug you reported is fixed in the latest version of
phpsysinfo, which is due to be installed in the Debian FTP archive:
phpsysinfo_2.3-3.diff.gz
to pool/main/p/phpsysinfo/phpsysinfo_2.3-3.diff.gz
phpsysinfo_2.3-3.dsc
to pool/main/p/phpsysinfo/phpsysinfo_2.3-3.dsc
phpsysinfo_2.3-3_all.deb
to pool/main/p/phpsysinfo/phpsysinfo_2.3-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 301118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frederik Schüler <fschueler@gmx.net> (supplier of updated phpsysinfo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 29 Mar 2005 11:11:03 +0200
Source: phpsysinfo
Binary: phpsysinfo
Architecture: source all
Version: 2.3-3
Distribution: unstable
Urgency: high
Maintainer: Frederik Schüler <fschueler@gmx.net>
Changed-By: Frederik Schüler <fschueler@gmx.net>
Description:
phpsysinfo - PHP based host information
Closes: 297674301118
Changes:
phpsysinfo (2.3-3) unstable; urgency=high
.
* Urgency: high because this release fixes a security issue.
* Added xss.diff top fix cross-site-scripting security bug, closes: #301118
* Adapted dependencies list, closes: #297674
* Added setini.diff to ensure register_globals and magic_quotes_runtime are
disabled.
Files:
abc1e082d2b4b4e6a266f517a9a76714 584 web optional phpsysinfo_2.3-3.dsc
05c70f020423b9b2c605d9df1591a45b 7929 web optional phpsysinfo_2.3-3.diff.gz
46584cb50c1bfd89f1535b720039e731 164390 web optional phpsysinfo_2.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCUxU12tp5zXiKP0wRAuFNAJ4l8rDwLm9XmTjJBokt8OU22L33KwCfbrRG
v47sfmWOY47KQLwZvY2Piao=
=jUui
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.