Debian Bug report logs - #595248
Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5

version graph

Package: nusoap; Maintainer for nusoap is PKG-PHP-PEAR team <pkg-php-pear@lists.alioth.debian.org>;

Reported by: David Hicks <hickseydr@optusnet.com.au>

Date: Thu, 2 Sep 2010 13:03:01 UTC

Owned by: olivier.berger@it-sudparis.eu

Severity: serious

Tags: patch, security

Found in versions 0.9.5-1, 0.7.3-3

Fixed in version 0.7.3-4

Done: Thomas Goirand <thomas@goirand.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Olivier Berger <olivier.berger@it-sudparis.eu>, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Thu, 02 Sep 2010 13:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Hicks <hickseydr@optusnet.com.au>:
New Bug report received and forwarded. Copy sent to Olivier Berger <olivier.berger@it-sudparis.eu>, olivier.berger@it-sudparis.eu. (Thu, 02 Sep 2010 13:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: David Hicks <hickseydr@optusnet.com.au>
To: submit@bugs.debian.org
Subject: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
Date: Thu, 02 Sep 2010 23:00:40 +1000
Package: nusoap
Version: 0.9.5-1
Owner: olivier.berger@it-sudparis.eu
Tags: security

Bogdan Calin of Acunetix discovered some cross site scripting
vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of
PHP_SELF. This is an issue because of potentially malicious URLs being
constructed along the lines of:

http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E

In such an event, NuSOAP will print a WSDL output page (service
description) containing the maliciously crafted URL.

An upstream bug report exists at
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
and a preliminary patch has been provided by the MantisBT project (which
bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312





Information forwarded to debian-bugs-dist@lists.debian.org, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Fri, 03 Sep 2010 13:39:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to olivier.berger@it-sudparis.eu. (Fri, 03 Sep 2010 13:39:19 GMT) Full text and rfc822 format available.

Message #10 received at 595248@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: David Hicks <hickseydr@optusnet.com.au>, 595248@bugs.debian.org
Cc: 595248@bugs.debian.org
Subject: Re: Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
Date: Fri, 03 Sep 2010 15:37:59 +0200
Hi.

Thanks for reporting this.

After a quick analysis, I tend to believe that users of the standard PHP
5.3 apache module packages with "suhosin.server.strip On" are safe : the
%3C and likes are converted to question marks ('?').

Still, this deserves some fixing.

Any comments or help welcome.

Best regards,

Le jeudi 02 septembre 2010 à 23:00 +1000, David Hicks a écrit :

> Bogdan Calin of Acunetix discovered some cross site scripting
> vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of
> PHP_SELF. This is an issue because of potentially malicious URLs being
> constructed along the lines of:
> 
> http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E
> 
> In such an event, NuSOAP will print a WSDL output page (service
> description) containing the maliciously crafted URL.
> 
> An upstream bug report exists at
> http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
> and a preliminary patch has been provided by the MantisBT project (which
> bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
> 
> 
> 

-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Information forwarded to debian-bugs-dist@lists.debian.org, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Fri, 03 Sep 2010 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to olivier.berger@it-sudparis.eu. (Fri, 03 Sep 2010 14:57:03 GMT) Full text and rfc822 format available.

Message #15 received at 595248@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: 595248@bugs.debian.org, "control@bugs.debian.org" <control@bugs.debian.org>
Subject: Re: Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
Date: Fri, 03 Sep 2010 16:53:15 +0200
[Message part 1 (text/plain, inline)]
tags 595248 + patch
thanks

Hi.

Le vendredi 03 septembre 2010 à 15:37 +0200, Olivier Berger a écrit :

> After a quick analysis, I tend to believe that users of the standard PHP
> 5.3 apache module packages with "suhosin.server.strip On" are safe : the
> %3C and likes are converted to question marks ('?').
> 
> Still, this deserves some fixing.
> 
> > An upstream bug report exists at
> > http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
> > and a preliminary patch has been provided by the MantisBT project (which
> > bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
> > 
> > 
> > 
> 

I'm not so sure the whole of the patch proposed by the Mantis team is
completely justified, and here's another alternative (shorter but
sufficiant I think). Still waiting for some opinion of upstream on this.

Any comments ?

Best regards,
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
[595248.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Fri, 03 Sep 2010 14:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Sat, 04 Sep 2010 15:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to olivier.berger@it-sudparis.eu. (Sat, 04 Sep 2010 15:00:03 GMT) Full text and rfc822 format available.

Message #22 received at 595248@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: 595248@bugs.debian.org, "control@bugs.debian.org" <control@bugs.debian.org>
Subject: Re: Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
Date: Sat, 04 Sep 2010 16:56:21 +0200
[Message part 1 (text/plain, inline)]
found 595248 0.7.3-3
tags 595248 + pending
thanks

Le vendredi 03 septembre 2010 à 16:53 +0200, Olivier Berger a écrit :

> I'm not so sure the whole of the patch proposed by the Mantis team is
> completely justified, and here's another alternative (shorter but
> sufficiant I think). Still waiting for some opinion of upstream on this.
> 
> Any comments ?
> 

There's even a shorter version of the patch, provided by Raphael
Geissert (attached).

I've asked the security team to upload an updated 0.7.3 package for
squeeze/testing-security, and I'll prepare a version for 0.9.5 for
unstable.

Best regards,
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
[595248.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug Marked as found in versions 0.7.3-3. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Sat, 04 Sep 2010 15:00:08 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Sat, 04 Sep 2010 15:00:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Sat, 04 Sep 2010 17:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to olivier.berger@it-sudparis.eu. (Sat, 04 Sep 2010 17:15:04 GMT) Full text and rfc822 format available.

Message #31 received at 595248@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: 595248@bugs.debian.org
Subject: Re: Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
Date: Sat, 04 Sep 2010 19:13:32 +0200
Le samedi 04 septembre 2010 à 16:56 +0200, Olivier Berger a écrit :

> I've asked the security team to upload an updated 0.7.3 package for
> squeeze/testing-security, and I'll prepare a version for 0.9.5 for
> unstable.
> 

FYI, the 0.9.5-2 package including the same fix is ready in :
        - URL: http://mentors.debian.net/debian/pool/main/n/nusoap
        - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free
        - dget http://mentors.debian.net/debian/pool/main/n/nusoap/nusoap_0.9.5-2.dsc
                
waiting for someone to sponsor it.

Best regards,
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Information forwarded to debian-bugs-dist@lists.debian.org, Olivier Berger <olivier.berger@it-sudparis.eu>, olivier.berger@it-sudparis.eu:
Bug#595248; Package nusoap. (Sun, 05 Sep 2010 18:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Olivier Berger <olivier.berger@it-sudparis.eu>, olivier.berger@it-sudparis.eu. (Sun, 05 Sep 2010 18:45:03 GMT) Full text and rfc822 format available.

Message #36 received at 595248@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 595248@bugs.debian.org
Cc: control@bugs.debian.org
Subject: re: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP
Date: Sun, 5 Sep 2010 14:41:51 -0400
severity 595248 serious
thanks

raising severity.  this should be fixed before squeeze releases.
thanks.

mike




Severity set to 'serious' from 'normal' Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 05 Sep 2010 18:45:06 GMT) Full text and rfc822 format available.

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Mon, 06 Sep 2010 12:48:12 GMT) Full text and rfc822 format available.

Notification sent to David Hicks <hickseydr@optusnet.com.au>:
Bug acknowledged by developer. (Mon, 06 Sep 2010 12:48:12 GMT) Full text and rfc822 format available.

Message #43 received at 595248-close@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: 595248-close@bugs.debian.org
Subject: Bug#595248: fixed in nusoap 0.7.3-4
Date: Mon, 06 Sep 2010 12:47:15 +0000
Source: nusoap
Source-Version: 0.7.3-4

We believe that the bug you reported is fixed in the latest version of
nusoap, which is due to be installed in the Debian FTP archive:

libnusoap-php_0.7.3-4_all.deb
  to main/n/nusoap/libnusoap-php_0.7.3-4_all.deb
nusoap_0.7.3-4.debian.tar.gz
  to main/n/nusoap/nusoap_0.7.3-4.debian.tar.gz
nusoap_0.7.3-4.dsc
  to main/n/nusoap/nusoap_0.7.3-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 595248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nusoap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Sep 2010 18:57:35 +0800
Source: nusoap
Binary: libnusoap-php
Architecture: source all
Version: 0.7.3-4
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 libnusoap-php - SOAP toolkit for PHP
Closes: 595248 595346 595561
Changes: 
 nusoap (0.7.3-4) unstable; urgency=high
 .
   * Adopting package (Closes: #595561).
   * Fixes an XSS vulnerability using PHP_SELF (Closes: #595248).
   * Fixes a "return new by reference" PHP 5.3 deprecation (Closes: #595346).
   * Rewrote the debian/copyright that I found in a messy state.
   * Added Vcs-Git and Vcs-Browser fields.
Checksums-Sha1: 
 ad4b33c58476ec33fdc6ba4d11af4763e54a1a4e 1132 nusoap_0.7.3-4.dsc
 94c942b24f0a62e33c2834f9e560a73bda6a0beb 8361 nusoap_0.7.3-4.debian.tar.gz
 24903cbc18517bc6948760da0d66372574547807 92960 libnusoap-php_0.7.3-4_all.deb
Checksums-Sha256: 
 474822bb6f7a45e2acd91651383097bb57687b5c7ee992c691847c7df61a8657 1132 nusoap_0.7.3-4.dsc
 a44469fab620865d7328af124838d1bd069a67b1b197a7464fdb0e92d59690dc 8361 nusoap_0.7.3-4.debian.tar.gz
 d9389946800df0e197fbc138e13a1a950e9a1acd44876e3954d37c52e1bbe5b8 92960 libnusoap-php_0.7.3-4_all.deb
Files: 
 caed64b890c977394679b68c0884b14e 1132 php optional nusoap_0.7.3-4.dsc
 b85066a91dda82186b75f513ce82ad62 8361 php optional nusoap_0.7.3-4.debian.tar.gz
 befa3aade591d4fdc19f20a65cd9a855 92960 php optional libnusoap-php_0.7.3-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyE1eYACgkQl4M9yZjvmkk5WQCfdmF6RLerKO1qH8PMAli6gBnj
L9EAnAxeSFQhpjN63VkwC0+liKT+3cfw
=oEvC
-----END PGP SIGNATURE-----





Bug No longer marked as fixed in versions nusoap/0.7.3-4 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 06 Sep 2010 13:57:06 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 0.7.3-4. Request was from Thomas Goirand <thomas@goirand.fr> to control@bugs.debian.org. (Mon, 06 Sep 2010 13:57:07 GMT) Full text and rfc822 format available.

Reply sent to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility. (Thu, 16 Sep 2010 04:51:06 GMT) Full text and rfc822 format available.

Notification sent to David Hicks <hickseydr@optusnet.com.au>:
Bug acknowledged by developer. (Thu, 16 Sep 2010 04:51:06 GMT) Full text and rfc822 format available.

Message #52 received at 595248-done@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: 595248-done@bugs.debian.org
Subject: SOLVED !
Date: Thu, 16 Sep 2010 12:48:00 +0800



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Oct 2010 07:33:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:21:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.