| 1 |
pva 11/09/01 19:30:23 |
| 2 |
|
| 3 |
Added: mantisbt-1.2.7-file-inclusion.patch |
| 4 |
Log: |
| 5 |
Add patch to address local file inclusion/path traversal, bug 381417 wrt David Hicks. |
| 6 |
|
| 7 |
(Portage version: 2.1.10.11/cvs/Linux x86_64) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: mantisbt-1.2.7-file-inclusion.patch |
| 16 |
=================================================================== |
| 17 |
commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298 |
| 18 |
Author: David Hicks <d@×××××.au> |
| 19 |
Date: Thu Sep 1 19:36:31 2011 +1000 |
| 20 |
|
| 21 |
Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS |
| 22 |
|
| 23 |
High-Tech Bridge SA Security Research Lab reported 2 issues with the |
| 24 |
'action' parameter to bug_actiongroup_ext_page.php |
| 25 |
|
| 26 |
Issue #13282 |
| 27 |
|
| 28 |
XSS issue with require_once() call failures returning an unescaped |
| 29 |
user-supplied filename. There has been a fair amount of recent public |
| 30 |
talk about PHP error messages being a source of XSS issues. This is an |
| 31 |
example. |
| 32 |
|
| 33 |
Issue #12283 |
| 34 |
|
| 35 |
Local file inclusion/path traversal vulnerability on web servers that |
| 36 |
allow translations like: |
| 37 |
http://example.com/directory/file.htm/../file2.htm ==> |
| 38 |
http://example.com/directory/file2.htm |
| 39 |
|
| 40 |
Vulnerable (default configuration): Apache |
| 41 |
Not vulnerable (default configuration): nginx |
| 42 |
|
| 43 |
This issue has _SEVERE_ consequences for people using web servers which |
| 44 |
don't check each segment of a path from top to bottom for validity. It |
| 45 |
shouldn't be possible to include the contents of config_inc.php to |
| 46 |
retrieve MantisBT database passwords because |
| 47 |
require_once('config_inc.php') will parse the document as a PHP script |
| 48 |
(echoing nothing). However it may allow attackers to view private files |
| 49 |
accessible to the web server user account. It also allows an attacker to |
| 50 |
guess the file structure of a server (existence of installed software, |
| 51 |
user accounts, etc). |
| 52 |
|
| 53 |
nginx will produce a 404 error when it determines that file.htm is not a |
| 54 |
directory. This makes too much sense, doesn't it? |
| 55 |
|
| 56 |
diff --git a/bug_actiongroup_ext_page.php b/bug_actiongroup_ext_page.php |
| 57 |
index 2a599d3..0a0ab91 100644 |
| 58 |
--- a/bug_actiongroup_ext_page.php |
| 59 |
+++ b/bug_actiongroup_ext_page.php |
| 60 |
@@ -40,12 +40,18 @@ |
| 61 |
# redirect to view issues page if action doesn't have ext_* prefix. |
| 62 |
# This should only occur if this page is called directly. |
| 63 |
$t_external_action_prefix = 'EXT_'; |
| 64 |
- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) { |
| 65 |
+ $t_matches = array(); |
| 66 |
+ preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches ); |
| 67 |
+ if ( count( $t_matches ) !== 2 ) { |
| 68 |
print_header_redirect( 'view_all_bug_page.php' ); |
| 69 |
- } |
| 70 |
+ exit; |
| 71 |
+ } |
| 72 |
+ $t_external_action = $t_matches[1]; |
| 73 |
+ $t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php'; |
| 74 |
+ if ( !file_exists( $t_include_file ) ) { |
| 75 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 76 |
+ } |
| 77 |
|
| 78 |
- $t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) ); |
| 79 |
- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php'; |
| 80 |
$t_form_name = 'bug_actiongroup_' . $t_external_action; |
| 81 |
|
| 82 |
bug_group_action_print_top(); |
| 83 |
diff --git a/core/bug_group_action_api.php b/core/bug_group_action_api.php |
| 84 |
index bd80ea6..30e71ed 100644 |
| 85 |
--- a/core/bug_group_action_api.php |
| 86 |
+++ b/core/bug_group_action_api.php |
| 87 |
@@ -94,7 +94,14 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) { |
| 88 |
* @param $p_action The custom action name without the "EXT_" prefix. |
| 89 |
*/ |
| 90 |
function bug_group_action_print_action_fields( $p_action ) { |
| 91 |
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); |
| 92 |
+ if ( !preg_match( '/^\w+$/', $p_action ) ) { |
| 93 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 94 |
+ } |
| 95 |
+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; |
| 96 |
+ if ( !file_exists( $t_include_file ) ) { |
| 97 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 98 |
+ } |
| 99 |
+ require_once( $t_include_file ); |
| 100 |
$t_function_name = 'action_' . $p_action . '_print_fields'; |
| 101 |
$t_function_name(); |
| 102 |
} |
| 103 |
@@ -106,7 +113,14 @@ function bug_group_action_print_action_fields( $p_action ) { |
| 104 |
* @param $p_action The custom action name without the "EXT_" prefix. |
| 105 |
*/ |
| 106 |
function bug_group_action_print_title( $p_action ) { |
| 107 |
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); |
| 108 |
+ if ( !preg_match( '/^\w+$/', $p_action ) ) { |
| 109 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 110 |
+ } |
| 111 |
+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; |
| 112 |
+ if ( !file_exists( $t_include_file ) ) { |
| 113 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 114 |
+ } |
| 115 |
+ require_once( $t_include_file ); |
| 116 |
$t_function_name = 'action_' . $p_action . '_print_title'; |
| 117 |
$t_function_name(); |
| 118 |
} |
| 119 |
@@ -121,7 +135,14 @@ function bug_group_action_print_title( $p_action ) { |
| 120 |
* @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate ) |
| 121 |
*/ |
| 122 |
function bug_group_action_validate( $p_action, $p_bug_id ) { |
| 123 |
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); |
| 124 |
+ if ( !preg_match( '/^\w+$/', $p_action ) ) { |
| 125 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 126 |
+ } |
| 127 |
+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; |
| 128 |
+ if ( !file_exists( $t_include_file ) ) { |
| 129 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 130 |
+ } |
| 131 |
+ require_once( $t_include_file ); |
| 132 |
$t_function_name = 'action_' . $p_action . '_validate'; |
| 133 |
return $t_function_name( $p_bug_id ); |
| 134 |
} |
| 135 |
@@ -136,7 +157,14 @@ function bug_group_action_validate( $p_action, $p_bug_id ) { |
| 136 |
* @returns true|array Action can be applied., ( bug_id => reason for failure to process ) |
| 137 |
*/ |
| 138 |
function bug_group_action_process( $p_action, $p_bug_id ) { |
| 139 |
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); |
| 140 |
+ if ( !preg_match( '/^\w+$/', $p_action ) ) { |
| 141 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 142 |
+ } |
| 143 |
+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; |
| 144 |
+ if ( !file_exists( $t_include_file ) ) { |
| 145 |
+ trigger_error( ERROR_GENERIC, ERROR ); |
| 146 |
+ } |
| 147 |
+ require_once( $t_include_file ); |
| 148 |
$t_function_name = 'action_' . $p_action . '_process'; |
| 149 |
return $t_function_name( $p_bug_id ); |
| 150 |
} |
Archives