[UNIX] P4DB Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 05/16/04

Next message: SecuriTeam: "[UNIX] Sun Management Console Directory Traversal Vulnerability"

Previous message: SecuriTeam: "[TOOL] RKDetect - Behaviour Based Rootkit Detection Utility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 May 2004 17:58:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

P4DB Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

<http://www.mydata.se/ftp/P4DB/> P4DB is a CGI based tool that provides a
web-based interface to Perforce source code repositories. It is
third-party software, developed by an individual and unsupported by
Perforce.

There are many input validation problems in P4DB that allow the running of
arbitrary shell commands on the web server's system. In addition there are
numerous cross-site scripting bugs throughout the package.

DETAILS

Vulnerable Systems:
* P4DB version 2.01 and prior

P4DB suffers from multiple security issues, the worst of which is
unfiltered variable input passed directly to shell commands. Using crafted
URLs it would be possible for an attacker to run arbitrary commands on the
web server. Other issues include multiple XSS vulnerabilities throughout
the code.

Vendor Status:
The original developer of P4DB, Fredric Fredricson, appears to have
dropped off the Internet. He did not respond to inquiries made in late
March, 2004. The most recent release of P4DB was in 2001. He has submitted
a multitude of changes to the package source in the public Perforce
repository (as recently as March, 2004), but the security issues are still
present in that code.

Perforce were contacted regarding the security issues mentioned. It is
recommended that P4DB will migrate to P4Web, a free package that provides
the same functionality, developed and maintained by Perforce themselves.
It can be found at <http://www.perforce.com/perforce/products/p4web.html>
http://www.perforce.com/perforce/products/p4web.html.

Patch Availability:
An unofficial patch is presented here which should mitigate the mentioned
vulnerabilities for those who still do not wish to migrate their systems:

diff -Nur p4db.orig/P4CGI.pm p4db/P4CGI.pm
--- p4db.orig/P4CGI.pm Mon Apr 12 11:33:17 2004
+++ p4db/P4CGI.pm Tue Apr 20 15:06:56 2004
@@ -438,6 +438,11 @@
     my ( $par, @command ) = @_;
     my $partype = ref $par ;
     push @ERRLOG,"p4call(<$partype>,@command)" ;
+
+ # Unfortunately, we can't filter out " and >, since they're used to
quote
+ # the arguments, and redirect output. Bummer. We'll just hope that
everyone
+ # else filtered things OK.
+ &bail("Invalid P4 command @command") if ("$P4 @command" =~
/['`&;|<\!()\$\\]/);
     if(!$partype) {
  open( $par, "$P4 @command|" ) || &bail( "$P4 @command failed" );
  return ;
diff -Nur p4db.orig/SetPreferences.cgi p4db/SetPreferences.cgi
--- p4db.orig/SetPreferences.cgi Mon Apr 12 11:28:37 2004
+++ p4db/SetPreferences.cgi Mon Apr 12 11:55:49 2004
@@ -14,6 +14,7 @@
#################################################################

my $newp = &P4CGI::cgi()->param("SET_PREFERENCES") ;
+$newp = "Yes" if defined $newp;
my $fullURL = &P4CGI::cgi()->url(-full=>1) ;

if((defined $newp) and
diff -Nur p4db.orig/branchView.cgi p4db/branchView.cgi
--- p4db.orig/branchView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/branchView.cgi Mon Apr 12 11:55:49 2004
@@ -19,6 +19,7 @@
###
my $branch = P4CGI::cgi()->param("BRANCH") ;
&P4CGI::bail("No branch specified") unless defined $branch ;
+&P4CGI::bail("Invalid branch specified") if $branch =~ /[<>"&:;'`]/;

###
diff -Nur p4db.orig/changeByUsers.cgi p4db/changeByUsers.cgi
--- p4db.orig/changeByUsers.cgi Mon Apr 12 11:28:37 2004
+++ p4db/changeByUsers.cgi Wed Apr 21 09:37:10 2004
@@ -15,8 +15,11 @@

my $FSPC = &P4CGI::cgi()->param("FSPC") ;
$FSPC = "//..." unless defined $FSPC ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);

my $COMPLETE= &P4CGI::cgi()->param("COMPLETE") ;
+&P4CGI::bail("Invalid COMPLETE flag.")
+ unless (!defined($COMPLETE) || ($COMPLETE =~ /^\w+^/));

my @legend ;
diff -Nur p4db.orig/changeList.cgi p4db/changeList.cgi
--- p4db.orig/changeList.cgi Mon Apr 12 11:28:37 2004
+++ p4db/changeList.cgi Tue Apr 20 15:10:49 2004
@@ -96,6 +96,9 @@
$filespec = "//..." unless defined $filespec ;
$filespec =~ s/\s*\+\s*\/\//\/\//g ; # replace <space>+<space>// with //
          # where <space> is 0 or more whitespace charcaters
+
+&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/);
+
my @FSPC =
     map {
  if($_) { "//".$_ ; }
@@ -107,6 +110,7 @@
#
my $LABEL = P4CGI::cgi()->param("LABEL") ;
if(defined $LABEL and $LABEL eq "-") { $LABEL = undef ; } ;
+&P4CGI::bail("Invalid label.") if ($LABEL =~ /[<>"&:;'`]/);

#
# Check that FSPC or LABEL is specified
@@ -120,18 +124,22 @@
#
my $EXLABEL = &P4CGI::cgi()->param("EXLABEL") ;
if(defined $EXLABEL and $EXLABEL eq "-") { $EXLABEL = undef ; } ;
+&P4CGI::bail("Invalid label to exclude.") if ($EXLABEL =~ /[<>"&:;'`]/);

#
# Get status
#
my $STATUS = &P4CGI::cgi()->param("STATUS") ;
unless(defined $STATUS) { $STATUS = "submitted" ; } ;
+unless ($STATUS =~ /^\w+$/) { &P4CGI::bail("Invalid status."); };

#
# Get max changes to display
#
my $MAXCH = P4CGI::cgi()->param("MAXCH") ;
$MAXCH = &P4CGI::MAX_CHANGES() unless(defined $MAXCH) ;
+unless ($MAXCH =~ /^\d+$/) {
+ &P4CGI::bail("Invalid value for the maximum number of changes ."); };

#
# Get first change No. to display and offset from start
@@ -140,7 +148,13 @@
my $CHOFFSET=0 ;
if(defined $MAXCH) {
     $FIRSTCH = P4CGI::cgi()->param("FIRSTCH") ;
+ unless (!defined($FIRSTCH) || ($FIRSTCH =~ /^\d+$/)) {
+ &P4CGI::bail("Invalid value for the starting change number.");
+ }
     $CHOFFSET = P4CGI::cgi()->param("CHOFFSETDISP") ;
+ unless (!defined($CHOFFSET) || ($CHOFFSET =~ /^\d+$/)) {
+ &P4CGI::bail("Invalid value for the change number offset.");
+ }
}

@@ -152,7 +166,10 @@
#
my $SEARCHDESC = &P4CGI::cgi()->param("SEARCHDESC") ;
$SEARCHDESC=undef if defined $SEARCHDESC and $SEARCHDESC eq "" ;
+&P4CGI::bail("Invalid search terms.") if ($SEARCHDESC =~ /[<>"&:;'`]/);
+
my $SEARCH_INVERT = &P4CGI::cgi()->param("SEARCH_INVERT") ;
+&P4CGI::bail("Invalid search terms.") if ($SEARCH_INVERT =~
/[<>"&:;'`]/);

my $USER = &P4CGI::cgi()->param("USER") ;
{
@@ -167,6 +184,8 @@
     }
}
$USER=undef if defined $USER and $USER eq "" ;
+&P4CGI::bail("Invalid user(s).")
+ unless (!defined($USER) || ($USER =~ /^\w+(,\w+)*$/));

my $GROUP = &P4CGI::cgi()->param("GROUP") ;
{
@@ -181,10 +200,11 @@
     }
}
$GROUP=undef if defined $GROUP and $GROUP eq "" ;
-
+&P4CGI::bail("Invalid group(s).") if ($GROUP =~ /[<>"&:;'`]/);

my $CLIENT = &P4CGI::cgi()->param("CLIENT") ;
$CLIENT=undef if defined $CLIENT and $CLIENT eq "" ;
+&P4CGI::bail("Invalid client specified.") if ($CLIENT =~ /[<>"&:;'`]/);

###
### Sub getChanges
diff -Nur p4db.orig/changeView.cgi p4db/changeView.cgi
--- p4db.orig/changeView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/changeView.cgi Mon Apr 12 11:55:49 2004
@@ -17,7 +17,9 @@
# Get file spec argument
my $change = P4CGI::cgi()->param("CH") ;
&P4CGI::bail("No change number specified") unless defined $change ;
+&P4CGI::bail("Invalid change number specified") unless ($change =~
/^\d+$/);
$change =~ /^\d+$/ or &P4CGI::bail("\"$change\" is not a positive
number");
+
my @desc ;
my $currlev = &P4CGI::CURRENT_CHANGE_LEVEL() ;
if($change > $currlev or $change < 1) {
diff -Nur p4db.orig/clientList.cgi p4db/clientList.cgi
--- p4db.orig/clientList.cgi Mon Apr 12 11:28:37 2004
+++ p4db/clientList.cgi Wed Apr 21 09:38:25 2004
@@ -43,6 +43,9 @@
}

my $user = P4CGI::cgi()->param("USER") ;
+&P4CGI::bail("Invalid user specified.")
+ unless (!defined($user) || ($user =~ /^\w+$/));
+
my $mode = P4CGI::cgi()->param("MODE") ;
$mode = "Brief" unless (defined $mode) and ($mode eq "Complete") ;
$mode = "Complete" if defined $user ;
diff -Nur p4db.orig/clientView.cgi p4db/clientView.cgi
--- p4db.orig/clientView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/clientView.cgi Mon Apr 12 11:55:49 2004
@@ -18,6 +18,8 @@
unless(defined $client) {
     &P4CGI::bail("No client specified!") ;
} ;
+&P4CGI::bail("Invalid client specified!") if ($client =~ /[<>"&:;'`]/);
+

# Get list of users and full names
my @users ;
diff -Nur p4db.orig/depotStats.cgi p4db/depotStats.cgi
--- p4db.orig/depotStats.cgi Mon Apr 12 11:28:37 2004
+++ p4db/depotStats.cgi Mon Apr 12 11:55:49 2004
@@ -26,6 +26,7 @@
#
my $FSPC = P4CGI::cgi()->param("FSPC") ;
$FSPC = "//..." unless defined $FSPC ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);
my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ;
$FSPC = "<tt>".join("</tt> and <tt>",@FSPC)."</tt>" ;
my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ;
diff -Nur p4db.orig/depotTreeBrowser.cgi p4db/depotTreeBrowser.cgi
--- p4db.orig/depotTreeBrowser.cgi Mon Apr 12 11:28:37 2004
+++ p4db/depotTreeBrowser.cgi Mon Apr 12 11:55:49 2004
@@ -18,6 +18,7 @@
###
     # * Get path from argument
my $fspc = P4CGI::cgi()->param("FSPC") ;
+&P4CGI::bail("Invalid file spec.") if ($fspc =~ /[<>"&:;'`]/);
$fspc =~ s/\.\.\.$// if defined $fspc ;
     # Find out if we have multiple depots
my @depots ;
diff -Nur p4db.orig/fileDiffView.cgi p4db/fileDiffView.cgi
--- p4db.orig/fileDiffView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileDiffView.cgi Mon Apr 12 11:55:49 2004
@@ -17,32 +17,40 @@
#################################################################

# Get file spec argument
-my @files = split /,/,P4CGI::cgi()->param("FSPC") ;
+my $FSPC = P4CGI::cgi()->param("FSPC") ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);
+my @files = split /,/,$FSPC;
&P4CGI::bail("No file specified") unless @files > 0 ;

-my @revs = split / /,P4CGI::cgi()->param("REV") if defined
P4CGI::cgi()->param("REV") ;
+my $REV = P4CGI::cgi()->param("REV");
+my @revs = split / /,$REV if defined $REV;
+&P4CGI::bail("Invalid file revisions.") unless ($REV =~ /^[0-9 ]*$/);
$files[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs[0] = $2 ; } ;
&P4CGI::bail("No revision specified") unless @revs > 0 ;

-my @modes ;
-@modes = split / /,P4CGI::cgi()->param("ACT") if defined
P4CGI::cgi()->param("ACT") ;
+my $ACT = P4CGI::cgi()->param("ACT");
+&P4CGI::bail("Invalid mode(s).") if ($ACT =~ /[<>"&:;'`]/);
+my @modes = split / /,$ACT if defined $ACT;
&P4CGI::bail("No mode specified") unless @modes > 0 ;

-my @files2 ;
-@files2 =
- split /,/,P4CGI::cgi()->param("FSPC2") if defined
P4CGI::cgi()->param("FSPC2") ;
-my @revs2 ;
-@revs2 =
- split / /,P4CGI::cgi()->param("REV2") if defined
P4CGI::cgi()->param("REV2") ;
+my $FSPC2 = P4CGI::cgi()->param("FSPC2");
+&P4CGI::bail("Invalid file spec.") if ($FSPC2 =~ /[<>"&:;'`]/);
+my @files2 = split /,/,$FSPC2 if defined $FSPC2;
+
+my $REV2 = P4CGI::cgi()->param("REV2");
+my @revs2 = split / /,$REV2 if defined $REV2;
+&P4CGI::bail("Invalid revisions specified.") unless ($REV2 =~ /^[0-9
]*$/);
if(defined $files2[0]) {
     $files2[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs2[0] = $2 ; } ;
} ;

my $change = P4CGI::cgi()->param("CH") ;
+&P4CGI::bail("Invalid change specified.") unless ($change =~ /^[0-9]*$/);
# Constants for the file diff display

# $NCONTEXT - number of lines context before and after a diff
my $NCONTEXT = P4CGI::cgi()->param("CONTEXT") ;
+&P4CGI::bail("Invalid number of context lines.") unless ($NCONTEXT =~
/^[0-9]*$/);
$NCONTEXT = 10 unless defined $NCONTEXT ;

# $MAXCONTEXT - max number of lines context between diffs
diff -Nur p4db.orig/fileDownLoad.cgi p4db/fileDownLoad.cgi
--- p4db.orig/fileDownLoad.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileDownLoad.cgi Mon Apr 12 11:55:49 2004
@@ -17,12 +17,14 @@
# Get file spec argument
my $file = P4CGI::cgi()->param("FSPC") ;
&P4CGI::bail("No file specified") unless defined $file ;
+&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/);

my $filename = $file ;
$filename =~ s/.*\/// ;

my $revision = P4CGI::cgi()->param("REV") ;
&P4CGI::bail("No revision specified") unless defined $revision ;
+&P4CGI::bail("Invalid revision specified") unless $revision =~ /^\d*$/;

local *P4 ;

diff -Nur p4db.orig/fileLogView.cgi p4db/fileLogView.cgi
--- p4db.orig/fileLogView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileLogView.cgi Tue Apr 20 15:17:12 2004
@@ -34,14 +34,15 @@
     # File argument
my $file = P4CGI::cgi()->param("FSPC") ;
&P4CGI::bail("No file spec") unless defined $file ;
+&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

     # Label x-reference argument
my $listLabel = P4CGI::cgi()->param("LISTLAB") ;
-$listLabel = "No" unless defined $listLabel ;
+$listLabel = "No" unless defined $listLabel and $listLabel eq "Yes";

     # Show branch info argument
my $showBranch = P4CGI::cgi()->param("SHOWBRANCH") ;
-$showBranch="No" unless defined $showBranch ;
+$showBranch="No" unless defined $showBranch and $showBranch eq "Yes";

     # Get file data
my @filelog ;
diff -Nur p4db.orig/fileOpen.cgi p4db/fileOpen.cgi
--- p4db.orig/fileOpen.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileOpen.cgi Mon Apr 12 11:55:49 2004
@@ -17,6 +17,7 @@
     # File argument
my $FSPC = P4CGI::cgi()->param("FSPC") ;
$FSPC = "//..." unless defined $FSPC ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);
my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ;
$FSPC = "<tt>".join("</tt> and <tt>",@FSPC)."</tt>" ;
my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ;
diff -Nur p4db.orig/fileSearch.cgi p4db/fileSearch.cgi
--- p4db.orig/fileSearch.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileSearch.cgi Mon Apr 12 11:55:49 2004
@@ -17,11 +17,14 @@
# Get file spec argument
my $filespec = P4CGI::cgi()->param("FSPC") ;
$filespec = "" unless defined $filespec ;
+&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/);

my $label = P4CGI::cgi()->param("LABEL") ;
if(!defined $label) {
     $label = "" ;
}
+&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/);
+
my $filedesc ;
my $showDiffSelection="Y" ;
if($filespec eq "") {
diff -Nur p4db.orig/fileViewer.cgi p4db/fileViewer.cgi
--- p4db.orig/fileViewer.cgi Mon Apr 12 11:28:37 2004
+++ p4db/fileViewer.cgi Tue Apr 20 15:20:15 2004
@@ -31,6 +31,7 @@

my $file = P4CGI::cgi()->param("FSPC") ;
&P4CGI::bail("No file specified") unless defined $file ;
+&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

my $ext = $file ;
$ext =~ s/^.*\.// ;
@@ -38,9 +39,11 @@
my $revision = P4CGI::cgi()->param("REV") ;
# &P4CGI::bail("No revision specified") unless defined $revision ;
$revision = "#$revision" if defined $revision ;
-$revision="" unless defined $revision ;
+$revision = "" unless defined $revision ;
+&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d*$/);

my $force = P4CGI::cgi()->param("FORCE") ;
+$force = "Yes" if defined $force;

     # find out if p4br.perl is available, if true set smart
diff -Nur p4db.orig/filesChangedSince.cgi p4db/filesChangedSince.cgi
--- p4db.orig/filesChangedSince.cgi Mon Apr 12 11:28:37 2004
+++ p4db/filesChangedSince.cgi Mon Apr 12 11:55:49 2004
@@ -24,6 +24,7 @@

my $FSPC = P4CGI::cgi()->param("FSPC") ;
$FSPC = "//..." unless defined $FSPC ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);
my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ;

my $WEEKS = P4CGI::cgi()->param("WEEKS") ;
diff -Nur p4db.orig/groupView.cgi p4db/groupView.cgi
--- p4db.orig/groupView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/groupView.cgi Mon Apr 12 11:55:49 2004
@@ -22,6 +22,8 @@
     &P4CGI::bail("No group specified!") ;
} ;

+&P4CGI::bail("Invalid group.") if ($group =~ /[<>"&:;'`]/);
+
     # Get real user names...
my %userCvt ;
{
diff -Nur p4db.orig/htmlFileView.cgi p4db/htmlFileView.cgi
--- p4db.orig/htmlFileView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/htmlFileView.cgi Mon Apr 12 11:55:49 2004
@@ -18,6 +18,7 @@
# Get type arg
my $type = P4CGI::cgi()->param("TYPE") ;
&P4CGI::bail("No file type specified") unless defined $type ;
+&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/);

my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ;

@@ -28,10 +29,12 @@
     # Get file spec argument
     my $file = P4CGI::cgi()->param("FSPC") ;
     &P4CGI::bail("No file specified") unless defined $file ;
+ &P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

     my $revision = P4CGI::cgi()->param("REV") ;
     $revision = "#$revision" if defined $revision ;
- $revision="" unless defined $revision ;
+ $revision = "" unless defined $revision ;
+ &P4CGI::bail("Invalid file spec.") unless ($revision =~ /^#?\d*$/);

     my $filename=$file ;
     $filename =~ s/^.*\///;
diff -Nur p4db.orig/javaDataView.cgi p4db/javaDataView.cgi
--- p4db.orig/javaDataView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/javaDataView.cgi Mon Apr 12 11:55:49 2004
@@ -17,6 +17,8 @@
     # * Get path from argument

my $cmd = P4CGI::cgi()->param("CMD") ;
+&P4CGI::bail("Invalid command.") unless ($cmd =~ /^\w*$/);
+
my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ;

local *P4 ;
diff -Nur p4db.orig/jobList.cgi p4db/jobList.cgi
--- p4db.orig/jobList.cgi Mon Apr 12 11:28:37 2004
+++ p4db/jobList.cgi Mon Apr 12 11:55:49 2004
@@ -263,6 +263,7 @@
else {
     # Do we have "JOBVIEW"?
     my $jobview = &P4CGI::cgi()->param("JOBVIEW") ;
+ $jobview = "Yes" if defined $jobview;
     my $jobviewDesc ;
     if(defined $jobview) {
  $jobviewDesc = "Where jobview is: <TT>$jobview</TT>" ;
@@ -275,6 +276,7 @@
  my @selectParams = grep { /^FLD/ ; } P4CGI::cgi()->param ;
  my %params ;
  foreach (@selectParams) {
+ &P4CGI::bail("Invalid field parameter.") if (/[<>"&:;'`]/);
      my $v = $_ ;
      s/^FLD// ;
      my @pars = &P4CGI::cgi()->param($v) ;
@@ -282,7 +284,7 @@
  }
     # Set match all/any
  my $MATCHTYPE = &P4CGI::cgi()->param("MATCHTYPE") ;
- $MATCHTYPE="all" unless defined $MATCHTYPE ;
+ $MATCHTYPE="all" unless defined $MATCHTYPE and $MATCHTYPE eq "any";
  my $matchtype = "|" ;
  my $matchtypeDesc = "or" ;
  if($MATCHTYPE eq "all") {
diff -Nur p4db.orig/jobView.cgi p4db/jobView.cgi
--- p4db.orig/jobView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/jobView.cgi Mon Apr 12 11:55:49 2004
@@ -17,6 +17,7 @@
# Get file spec argument
my $job = P4CGI::cgi()->param("JOB") ;
&P4CGI::bail("No job specified") unless defined $job ;
+&P4CGI::bail("Invalid job.") if ($job =~ /[<>"&:;'`]/);

     # Create title
print "", &P4CGI::start_page("Job $job","") ;
diff -Nur p4db.orig/labelDiffView.cgi p4db/labelDiffView.cgi
--- p4db.orig/labelDiffView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/labelDiffView.cgi Mon Apr 12 11:55:49 2004
@@ -23,6 +23,9 @@
&P4CGI::error("No first label specified") unless defined $LABEL1 ;
&P4CGI::error("No second label specified") unless defined $LABEL2 ;

+&P4CGI::bail("Invalid first label.") if ($LABEL1 =~ /[<>"&:;'`]/);
+&P4CGI::bail("Invalid second label.") if ($LABEL2 =~ /[<>"&:;'`]/);
+
     # defined if files that are the same in both labels
     # should be listed
my $SHOWSAME = P4CGI::cgi()->param("SHOWSAME") ;
diff -Nur p4db.orig/labelView.cgi p4db/labelView.cgi
--- p4db.orig/labelView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/labelView.cgi Mon Apr 12 11:55:49 2004
@@ -16,6 +16,7 @@
# Get label
my $label = P4CGI::cgi()->param("LABEL") ;
&P4CGI::bail("No label specified") unless defined $label ;
+&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/);

my $found ;
# Get list of all labels and also check that supplied label exists
diff -Nur p4db.orig/searchPattern.cgi p4db/searchPattern.cgi
--- p4db.orig/searchPattern.cgi Mon Apr 12 11:28:37 2004
+++ p4db/searchPattern.cgi Mon Apr 12 11:55:49 2004
@@ -15,6 +15,7 @@

my $FSPC = &P4CGI::cgi()->param("FSPC") ;
$FSPC = "//..." unless defined $FSPC ;
+&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);

my @legend ;

diff -Nur p4db.orig/specialFileView.cgi p4db/specialFileView.cgi
--- p4db.orig/specialFileView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/specialFileView.cgi Mon Apr 12 11:55:49 2004
@@ -21,14 +21,17 @@
# Get type arg
my $type = P4CGI::cgi()->param("TYPE") ;
&P4CGI::bail("No file type specified") unless defined $type ;
+&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/);

# Get file spec argument
my $file = P4CGI::cgi()->param("FSPC") ;
&P4CGI::bail("No file specified") unless defined $file ;
+&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/);

my $revision = P4CGI::cgi()->param("REV") ;
$revision = "#$revision" if defined $revision ;
$revision="" unless defined $revision ;
+&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d*$/);

my ($url,$desc,$content,$about) = @{$viewConfig::TypeData{$type}} ;
&P4CGI::bail("Undefined type code") unless defined $url ;
diff -Nur p4db.orig/userList.cgi p4db/userList.cgi
--- p4db.orig/userList.cgi Mon Apr 12 11:28:37 2004
+++ p4db/userList.cgi Mon Apr 12 11:55:49 2004
@@ -16,6 +16,7 @@

my $GROUPSONLY = P4CGI::cgi()->param("GROUPSONLY") ;
+$GROUPSONLY = "Y" if defined $GROUPSONLY;

sub weeksago($$$ ) {
     my ($y,$m,$d) = @_ ;
diff -Nur p4db.orig/userView.cgi p4db/userView.cgi
--- p4db.orig/userView.cgi Mon Apr 12 11:28:37 2004
+++ p4db/userView.cgi Mon Apr 12 11:55:49 2004
@@ -19,6 +19,8 @@
unless(defined $user) {
     &P4CGI::bail("No user specified!") ;
} ;
+&P4CGI::bail("Invalid user.") unless ($user =~ /^\w+$/);
+

# List all users
my @userData;

ADDITIONAL INFORMATION

The information has been provided by <mailto:jammer@weak.org> Jon
McClintock.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] Sun Management Console Directory Traversal Vulnerability"

Previous message: SecuriTeam: "[TOOL] RKDetect - Behaviour Based Rootkit Detection Utility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Chora CVS/SVN Viewer Remote Vulnerability
... Get your security news from a reliable source. ... Chora is "the Horde Project's CVS/SVN ... During a security audit of Chora a vulnerability within the diff viewing ... configurations) Concurrent Versions System (CVS) is the dominant ...
(Securiteam)
updating question
... question about security updates. ... I tried to install the cvs security patch, ... Looks like a new-style context diff to me... ... Hunk #1 ignored at 984. ...
(freebsd-newbies)
Re: XP Upgrade page freezes
... Did you read http://support.microsoft.com/kb/923737 before you Reset IE7? ... All security setting are off, like fisting, Kaspersky AV, pop blocker ... I have reloaded IE7 and SP3 no diff. ... I have 3 computers and only one has this problem. ...
(microsoft.public.windowsxp.general)
Plzhelp urgent, What r diff. security Mechanisms available and feature of each one
... I am newbie in Webservices and want to know What r diff. ... Mechanisms available and feature of each one, which is best one to use? ...
(microsoft.public.dotnet.framework.aspnet.webservices)