[ phpweather-Bugs-2807476 ] Multiple Vulnerabilities with PHPW
Brought to you by:
iridium
From: SourceForge.net <no...@so...> - 2009-06-18 00:30:48
|
Bugs item #2807476, was opened at 2009-06-17 02:37 Message generated for change (Settings changed) made by mrgoose You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=377952&aid=2807476&group_id=23245 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: PHP code Group: phpweather-2.x Status: Open >Priority: 8 Private: No Submitted By: Mr Goose (mrgoose) Assigned to: Nobody/Anonymous (nobody) Summary: Multiple Vulnerabilities with PHPW Initial Comment: I don't want to worry anyone but it seems there are some moderately critical security issues with PHPWeather. According to an alert by Secunia (and others), dated 2008-12-15, PHPWeather 2.x has the following vulnerabilities:- 1) Input via the URL in config/make_config.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 2) Input passed to the "language" parameter in test.php (when "metar" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. Unfortunately I don't have the PHP skills to fix it - well not yet anyway. Fortunately the vulnerable files are not part of the core and it seems to work OK without them (providing PHPW is set up already). So, as a temporary fix, it seems one could simply delete the offending files, or make them inaccessible to the web server using chmod. Alternatively one can use .htaccess & .htpasswd to allow password-only access to the offending files - assuming you actually want to use them. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=377952&aid=2807476&group_id=23245 |