Debian Bug report logs - #530271
CVE-2009-1732, CVE-2009-1733

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-1732, CVE-2009-1733

Date: Sat, 23 May 2009 17:31:22 +0200

Package: ipplan
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ipplan.

CVE-2009-1732[0]:
| Cross-site scripting (XSS) vulnerability in admin/usermanager in IPlan
| 4.91a allows remote attackers to inject arbitrary web script or HTML
| via the grp parameter.

CVE-2009-1733[1]:
| Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows
| remote attackers to hijack the authentication of administrators for
| requests that (1) change the password, (2) add users, or (3) delete
| users via unknown vectors.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1732
    http://security-tracker.debian.net/tracker/CVE-2009-1732
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1733
    http://security-tracker.debian.net/tracker/CVE-2009-1733

    http://holisticinfosec.org/content/view/113/45/
    

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoYFsYACgkQNxpp46476apd+gCgnDQjebQhF8gaVx/CkQG4Uh1j
uN0An1q5D7MPVsn5wkC4pxidK5uVTuG7
=AFso
-----END PGP SIGNATURE-----

Message #10 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>, 530271@bugs.debian.org

Subject: Re: Bug#530271: CVE-2009-1732, CVE-2009-1733

Date: Sat, 23 May 2009 20:29:56 +0200

[Message part 1 (text/plain, inline)]

Hi Giuseppe,

On Saturday 23 May 2009, Giuseppe Iuculano wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for ipplan.
>
> CVE-2009-1732[0]:
> | Cross-site scripting (XSS) vulnerability in admin/usermanager in IPlan
> | 4.91a allows remote attackers to inject arbitrary web script or HTML
> | via the grp parameter.
>
> CVE-2009-1733[1]:
> | Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows
> | remote attackers to hijack the authentication of administrators for
> | requests that (1) change the password, (2) add users, or (3) delete
> | users via unknown vectors.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.

thanks for the notification. I already contacted upstream about the issue.

The problem is, I'm on vacation from 30th May til 12th Jun. So if I'm unable 
to provide a solution in time, feel free for a NMU.

With kind regards, Jan.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Richard Ellerbrock <ipplan@gmail.com>

To: Jan Wagner <waja@cyconet.org>

Subject: Re: Bug#530271: CVE-2009-1732, CVE-2009-1733

Date: Sat, 30 May 2009 16:52:56 +1000

[Message part 1 (text/plain, inline)]

Here is a patch that should also apply to 4.86a. Hope it addresses all
the issues - not quite sure.

2009/5/27 Jan Wagner <waja@cyconet.org>:
> Hi Richard,
>
> On Wednesday 27 May 2009, you wrote:
>> I have been away for a couple of weeks. Secunia gives a silly two
>> weeks to respond to a security advisory which I think is ridiculous.
>>
>> Anyway, these issues are not serious as both involve the usermanager
>> script. To execute this script (or the "exploit") you require the
>> admin password. If you know the admin password you don't need an
>> exploit to delete a user!
>>
>> I will work on a fix and release a new version asap.
>
> thanks for your answer. Could you maybe provide also a (backported) fix for
> 4.86a? A patch against 4.86a would be nice, cause this is the version we have
> in the stable Debian release[1] and it's not possible to upload new versions
> into stable.
>
> I'm on vacation the next 2 weeks beginning next weekend, so could you please
> send fixes/notifications also to 530271@bugs.debian.org, so anybody else can
> probably jump in and fix the bug in Debian.
>
> Thanks in advance. With kind regards, Jan.
> [1] http://security-tracker.debian.net/tracker/binary-package/ipplan
> --
> Never write mail to <waja@spamfalle.info>, you have been warned!
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
> Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
> ------END GEEK CODE BLOCK------
>



-- 
Richard Ellerbrock

[usermanager.patch (text/x-patch, attachment)]

Message #20 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 530271@bugs.debian.org, Richard Ellerbrock <ipplan@gmail.com>

Subject: xss patch

Date: Tue, 23 Jun 2009 16:22:56 +1000

[Message part 1 (text/plain, inline)]

Hi Richard

I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using 
htmlspecialchars() to take care of escaping? I have attached a potential patch 
for that. Of course, it would be good to check the rest of the code as well 
and see whether it is prone to xss issues.
Also, as far as I understand it, the CSRF issue is very constructed and 
doesn't offer an attack vendor without having admin rights already, correct? I 
have to admit that I don't understand that part of your patch there.

Cheers
Steffen

[xss.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Richard Ellerbrock <ipplan@gmail.com>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 530271@bugs.debian.org

Subject: Re: xss patch

Date: Wed, 24 Jun 2009 07:46:01 +1000

The existing patch is correct - using htmlspecialchars will have the
effect of placing escaped stings in the database. It will also have
the effect of double escaping each time you edit a field.

My patch replaces the display template method block() which does not
escape with the text() method which uses htmlspecialchars internally.
See /ipplan/layout/class.layout

As for the length check. This was a potential, unrelated database
overflow I discovered during investigation of the xss issue - totally
unrelated.

As for the CSRF issue. Its so specific, too hard to fix (I might be
wrong here), requires admin rights with which you could delete a user
anyway and will potentially never get used in an application that has
such a focus and small user base. So this issue is not fixed.

I have checked the rest of IPplan and am fairly convinced that there
are no other block method issues. I will check again. Note that the
usermanager component was written by another developer (not me), thus
the potential for these types of issues.

2009/6/23 Steffen Joeris <steffen.joeris@skolelinux.de>:
> Hi Richard
>
> I am not sure about your patch.
> Setting a maximum length does not fix a potential xss issue. Why not using
> htmlspecialchars() to take care of escaping? I have attached a potential patch
> for that. Of course, it would be good to check the rest of the code as well
> and see whether it is prone to xss issues.
> Also, as far as I understand it, the CSRF issue is very constructed and
> doesn't offer an attack vendor without having admin rights already, correct? I
> have to admit that I don't understand that part of your patch there.
>
> Cheers
> Steffen
>



-- 
Richard Ellerbrock

Message #30 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Richard Ellerbrock <ipplan@gmail.com>

Cc: 530271@bugs.debian.org

Subject: Re: xss patch

Date: Sun, 5 Jul 2009 17:48:10 +1000

[Message part 1 (text/plain, inline)]

On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
> The existing patch is correct - using htmlspecialchars will have the
> effect of placing escaped stings in the database. It will also have
> the effect of double escaping each time you edit a field.
>
> My patch replaces the display template method block() which does not
> escape with the text() method which uses htmlspecialchars internally.
> See /ipplan/layout/class.layout
You are right, thanks for pointing this out.

> As for the length check. This was a potential, unrelated database
> overflow I discovered during investigation of the xss issue - totally
> unrelated.
Could you elaborate on this? Could this cause any issues security wise?

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 530271@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 530271@bugs.debian.org

Subject: NMU patch

Date: Mon, 6 Jul 2009 19:54:56 +1000

[Message part 1 (text/plain, inline)]

Hi

Please find the NMU patch attached.

Cheers
Steffen

[xss.nmu (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 530271-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 530271-close@bugs.debian.org

Subject: Bug#530271: fixed in ipplan 4.91a-1.1

Date: Mon, 06 Jul 2009 10:02:10 +0000

Source: ipplan
Source-Version: 4.91a-1.1

We believe that the bug you reported is fixed in the latest version of
ipplan, which is due to be installed in the Debian FTP archive:

ipplan_4.91a-1.1.diff.gz
  to pool/main/i/ipplan/ipplan_4.91a-1.1.diff.gz
ipplan_4.91a-1.1.dsc
  to pool/main/i/ipplan/ipplan_4.91a-1.1.dsc
ipplan_4.91a-1.1_all.deb
  to pool/main/i/ipplan/ipplan_4.91a-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated ipplan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Jul 2009 08:09:24 +0000
Source: ipplan
Binary: ipplan
Architecture: source all
Version: 4.91a-1.1
Distribution: unstable
Urgency: high
Maintainer: Jan Wagner <waja@cyconet.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 ipplan     - web-based IP address manager and tracker
Closes: 530271
Changes: 
 ipplan (4.91a-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix cross-site scripting vulnerability, which can be exploited via
     the userid, userdescrip, useremail, grp and grpdescrip parameters
     (Closes: #530271)
     Fixes: CVE-2009-1732
Checksums-Sha1: 
 9b832a957c1354caaa9d79da4bd89563aff383a9 1124 ipplan_4.91a-1.1.dsc
 aa5360438d891bd69184f42902521f750c2583d8 23627 ipplan_4.91a-1.1.diff.gz
 c694b176145fa792db2e35f202fcbeef8b7e0322 788768 ipplan_4.91a-1.1_all.deb
Checksums-Sha256: 
 5441985020f57b802941298db27f672dc6ef12b677014874eb4ff04636953316 1124 ipplan_4.91a-1.1.dsc
 cb0fef9b18360ce5999b13014ccf13a9b832325891ef4897477d96d1c2516186 23627 ipplan_4.91a-1.1.diff.gz
 486d0aebdfaa3d6e11c008d5fe897036a8041db307d2446f4189364f0ce24731 788768 ipplan_4.91a-1.1_all.deb
Files: 
 854b9e23d8ecb9016020e5ad45fbddc7 1124 web optional ipplan_4.91a-1.1.dsc
 836743adf47d7d76c3ef475f252bbfe0 23627 web optional ipplan_4.91a-1.1.diff.gz
 ad2f14853f183c6276a07c5c955d6da9 788768 web optional ipplan_4.91a-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpRyWgACgkQ62zWxYk/rQccTwCeJW5tSznr81a1nuJdNBRUyOR8
kokAoLUNCOEjfXJcAK+FsazbugwBGR2z
=jf+U
-----END PGP SIGNATURE-----

Message #45 received at 530271-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 530271-close@bugs.debian.org

Subject: Bug#530271: fixed in ipplan 4.86a-7+lenny1

Date: Tue, 07 Jul 2009 01:54:57 +0000

Source: ipplan
Source-Version: 4.86a-7+lenny1

We believe that the bug you reported is fixed in the latest version of
ipplan, which is due to be installed in the Debian FTP archive:

ipplan_4.86a-7+lenny1.diff.gz
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.diff.gz
ipplan_4.86a-7+lenny1.dsc
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.dsc
ipplan_4.86a-7+lenny1_all.deb
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated ipplan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Jul 2009 09:40:57 +0000
Source: ipplan
Binary: ipplan
Architecture: source all
Version: 4.86a-7+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jan Wagner <waja@cyconet.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 ipplan     - web-based IP address manager and tracker
Closes: 530271
Changes: 
 ipplan (4.86a-7+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix cross-site scripting vulnerability, which can be exploited via
     the userid, userdescrip, grp and grpdescrip parameters
     (Closes: #530271)
     Fixes: CVE-2009-1732
Checksums-Sha1: 
 4c8e55c5b87899fa07642a208adad5252ba33d66 1142 ipplan_4.86a-7+lenny1.dsc
 596a79a794fcd4d1570293b3dbb51652a22438dc 1463553 ipplan_4.86a.orig.tar.gz
 319801f9a8b1a1a687430a3cc861c4c55c11f943 24624 ipplan_4.86a-7+lenny1.diff.gz
 97f9fe5c7bf6886b20945708f0e4dfb70d987e23 755870 ipplan_4.86a-7+lenny1_all.deb
Checksums-Sha256: 
 968f38da6f2c6751b08848b7187b5d94a5e94dfa15334ddf4162cd0618653447 1142 ipplan_4.86a-7+lenny1.dsc
 3b32edf016290ef319e1e9b5dc43def0c0f1224fe54ef427211d8b9944821bee 1463553 ipplan_4.86a.orig.tar.gz
 3af9f5506cac4201f4e8c59ee6dc5d5c94bd7b368053a7358cbbbbbfa355e878 24624 ipplan_4.86a-7+lenny1.diff.gz
 ecb64fe8d05feb264aefce758abc51ee021c7a8dd2c78af6da0f45152fcee3e8 755870 ipplan_4.86a-7+lenny1_all.deb
Files: 
 37202f9941e647237b80853e536e11ef 1142 web optional ipplan_4.86a-7+lenny1.dsc
 04a5da8b7e08fcf5bfe0afc31bb7f711 1463553 web optional ipplan_4.86a.orig.tar.gz
 1337c00d254c8e9fe8ca1d7b0764c7d2 24624 web optional ipplan_4.86a-7+lenny1.diff.gz
 2a38517b8ad7b3e1371025a4e834effd 755870 web optional ipplan_4.86a-7+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpRyKYACgkQ62zWxYk/rQfxlwCeOcNy+vztrUEB5G5pZ6zpmUSJ
TdkAoLFD0nPYDX1Pnlzibkv5u5UStsYj
=ZBRB
-----END PGP SIGNATURE-----

Message #50 received at 530271-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 530271-close@bugs.debian.org

Subject: Bug#530271: fixed in ipplan 4.86a-7+lenny1

Date: Fri, 04 Sep 2009 18:32:07 +0000

Source: ipplan
Source-Version: 4.86a-7+lenny1

We believe that the bug you reported is fixed in the latest version of
ipplan, which is due to be installed in the Debian FTP archive:

ipplan_4.86a-7+lenny1.diff.gz
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.diff.gz
ipplan_4.86a-7+lenny1.dsc
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.dsc
ipplan_4.86a-7+lenny1_all.deb
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated ipplan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Jul 2009 09:40:57 +0000
Source: ipplan
Binary: ipplan
Architecture: source all
Version: 4.86a-7+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jan Wagner <waja@cyconet.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 ipplan     - web-based IP address manager and tracker
Closes: 530271
Changes: 
 ipplan (4.86a-7+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix cross-site scripting vulnerability, which can be exploited via
     the userid, userdescrip, grp and grpdescrip parameters
     (Closes: #530271)
     Fixes: CVE-2009-1732
Checksums-Sha1: 
 4c8e55c5b87899fa07642a208adad5252ba33d66 1142 ipplan_4.86a-7+lenny1.dsc
 596a79a794fcd4d1570293b3dbb51652a22438dc 1463553 ipplan_4.86a.orig.tar.gz
 319801f9a8b1a1a687430a3cc861c4c55c11f943 24624 ipplan_4.86a-7+lenny1.diff.gz
 97f9fe5c7bf6886b20945708f0e4dfb70d987e23 755870 ipplan_4.86a-7+lenny1_all.deb
Checksums-Sha256: 
 968f38da6f2c6751b08848b7187b5d94a5e94dfa15334ddf4162cd0618653447 1142 ipplan_4.86a-7+lenny1.dsc
 3b32edf016290ef319e1e9b5dc43def0c0f1224fe54ef427211d8b9944821bee 1463553 ipplan_4.86a.orig.tar.gz
 3af9f5506cac4201f4e8c59ee6dc5d5c94bd7b368053a7358cbbbbbfa355e878 24624 ipplan_4.86a-7+lenny1.diff.gz
 ecb64fe8d05feb264aefce758abc51ee021c7a8dd2c78af6da0f45152fcee3e8 755870 ipplan_4.86a-7+lenny1_all.deb
Files: 
 37202f9941e647237b80853e536e11ef 1142 web optional ipplan_4.86a-7+lenny1.dsc
 04a5da8b7e08fcf5bfe0afc31bb7f711 1463553 web optional ipplan_4.86a.orig.tar.gz
 1337c00d254c8e9fe8ca1d7b0764c7d2 24624 web optional ipplan_4.86a-7+lenny1.diff.gz
 2a38517b8ad7b3e1371025a4e834effd 755870 web optional ipplan_4.86a-7+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpRyKYACgkQ62zWxYk/rQfxlwCeOcNy+vztrUEB5G5pZ6zpmUSJ
TdkAoLFD0nPYDX1Pnlzibkv5u5UStsYj
=ZBRB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.