1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
Fix security issues described in Secunia Advisory SA35519. Bug 278864.
svn diff directly from upstream SVN.
Index: phpgwapi/doc/CHANGELOG
===================================================================
--- phpgwapi/doc/CHANGELOG (revision 19116)
+++ phpgwapi/doc/CHANGELOG (revision 19117)
@@ -1,3 +1,22 @@
+[0.9.16.014]
+ Security Release with bug fixes
+ * Remote File Disclosure in /addressbook/csv_import.php
+ * SQL injection in /login.php
+ * XSS in /login.php
+ * Local file inclusion and Remote file execution in
+ /addressbook/inc/class.uiXport.inc.php
+ All via Secunia - see SA35519
+
+ 0.9.14 -> 0.916 upgrade fixes
+
+ Addressbook usability fixes
+
+[0.9.16.013]
+ No release (stupid superstitious reasons)
+
+[0.9.16.012]
+ Upgrade phpsysinfo
+
[0.9.16.011]
Security Release with bug fixes
- Fix for Vulnerability in Calendar
Index: phpgwapi/inc/class.auth_sql.inc.php
===================================================================
--- phpgwapi/inc/class.auth_sql.inc.php (revision 19116)
+++ phpgwapi/inc/class.auth_sql.inc.php (revision 19117)
@@ -40,11 +40,15 @@
if ($passwd_type == 'md5')
{
+ if(!preg_match('/^[0-9a-f]*$/', $passwd))
+ {
+ return False;
+ }
$_passwd = $passwd;
}
$db->query("SELECT * FROM phpgw_accounts WHERE account_lid = '$username' AND "
- . "account_pwd='" . $_passwd . "' AND account_status ='A'",__LINE__,__FILE__);
+ . "account_pwd='$_passwd' AND account_status ='A'",__LINE__,__FILE__);
$db->next_record();
if ($db->f('account_lid'))
Index: login.php
===================================================================
--- login.php (revision 19116)
+++ login.php (revision 19117)
@@ -329,7 +329,7 @@
{
if (ereg('phpgw_',$name))
{
- $extra_vars .= '&' . $name . '=' . urlencode($value);
+ $extra_vars .= '&' . urlencode($name) . '=' . urlencode($value);
}
}
Index: addressbook/inc/class.uiXport.inc.php
===================================================================
--- addressbook/inc/class.uiXport.inc.php (revision 19116)
+++ addressbook/inc/class.uiXport.inc.php (revision 19117)
@@ -73,7 +73,8 @@
function import()
{
- if ($_REQUEST['convert']) //&& ($_FILES['tsvfile']['error'] == UPLOAD_ERR_OK))
+ $conv_type_a = $GLOBALS['phpgw']->session->appsession('conv_type_values_i', 'addressbook');
+ if ($_REQUEST['convert'] && is_array($conv_type_a) && in_array($_REQUEST['conv_type'], $conv_type_a)) //&& ($_FILES['tsvfile']['error'] == UPLOAD_ERR_OK))
{
$buffer = $this->bo->import($_FILES['tsvfile']['tmp_name'],$_REQUEST['conv_type'],$_REQUEST['private'],$_REQUEST['fcat_id']);
@@ -130,7 +131,7 @@
$fname = ereg_replace('_',' ',$myfilearray[$i]);
$conv .= '<OPTION VALUE="' . $myfilearray[$i].'">' . $fname . '</OPTION>';
}
-
+ $GLOBALS['phpgw']->session->appsession('conv_type_values_i', 'addressbook', $myfilearray);
$this->template->set_var('lang_cancel',lang('Cancel'));
$this->template->set_var('lang_cat',lang('Select Category'));
$this->template->set_var('cancel_url',$GLOBALS['phpgw']->link('/index.php','menuaction=addressbook.uiaddressbook.index'));
@@ -173,7 +174,8 @@
//$entries = $this->bo->$get_data_function($fields, $this->limit, $this->start, $this->order, $this->sort, '', $criteria);
- if ($_REQUEST['convert'])
+ $conv_type_a = $GLOBALS['phpgw']->session->appsession('conv_type_values_e', 'addressbook');
+ if ($_REQUEST['convert'] && is_array($conv_type_a) && in_array($_REQUEST['conv_type'], $conv_type_a))
{
if ($_REQUEST['conv_type'] == 'none')
{
@@ -248,6 +250,7 @@
$conv .= ' <option value="'.$myfilearray[$i].'">'.$fname.'</option>'."\n";
}
+ $GLOBALS['phpgw']->session->appsession('conv_type_values_e', 'addressbook', $myfilearray);
$this->template->set_var('lang_cancel',lang('Cancel'));
$this->template->set_var('lang_cat',lang('Select Category'));
$this->template->set_var('cat_link',$this->cat_option($this->cat_id,False,False));
Index: addressbook/csv_import.php
===================================================================
--- addressbook/csv_import.php (revision 19116)
+++ addressbook/csv_import.php (revision 19117)
@@ -31,12 +31,20 @@
$GLOBALS['phpgw']->template->set_block('import','ffooter','ffooterhandle');
$GLOBALS['phpgw']->template->set_block('import','imported','importedhandle');
- $csvfile = isset($_POST['csvfile']) ? $_POST['csvfile'] : $_FILES['csvfile']['tmp_name'];
+ $csvfile = $_FILES['csvfile']['tmp_name'];
if($_POST['action'] == 'download' && (!$_POST['fieldsep'] || !$csvfile || !($fp=fopen($csvfile,'rb'))))
{
$_POST['action'] = '';
}
+ if($_POST['action'] == 'import')
+ {
+ $csvfile = $GLOBALS['phpgw']->session->appsession('import_data', 'addressbook');
+ if(!file_exists($csvfile))
+ {
+ $_POST['action'] = '';
+ }
+ }
$GLOBALS['phpgw']->template->set_var('action_url',$GLOBALS['phpgw']->link('/addressbook/csv_import.php'));
$PSep = '||'; // Pattern-Separator, separats the pattern-replacement-pairs in trans
@@ -175,9 +183,10 @@
$GLOBALS['phpgw']->template->set_var('max',200);
$GLOBALS['phpgw']->template->parse('ffooterhandle','ffooter');
fclose($fp);
- $old = $csvfile; $csvfile = $GLOBALS['phpgw_info']['server']['temp_dir'].'/addrbook_import_'.basename($csvfile);
- rename($old,$csvfile);
- $hiddenvars .= '<input type="hidden" name="csvfile" value="'.$csvfile.'">';
+ $old = $csvfile; $csvfile = $GLOBALS['phpgw_info']['server']['temp_dir'].'/addrbook_import_'.$GLOBALS['phpgw_info']['user']['account_id'].'_'.basename($csvfile);
+ rename($old,$csvfile);
+ $GLOBALS['phpgw']->session->appsession('import_data', 'addressbook', $csvfile);
+ //$hiddenvars .= '<input type="hidden" name="csvfile" value="'.$csvfile.'">';
$mktime_lotus = "${PSep}0?([0-9]+)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*).*$ASep@mktime(${VPre}4,${VPre}5,${VPre}6,${VPre}2,${VPre}3,${VPre}1)";
$help_on_trans = "<a name=\"help\"></a><b>How to use Translation's</b><p>".
"Translations enable you to change / adapt the content of each CSV field for your needs. <br />".
|
GitWeb