Fix security issues described in Secunia Advisory SA35519. Bug 278864.
svn diff directly from upstream SVN.
Index: phpgwapi/doc/CHANGELOG
===================================================================
--- phpgwapi/doc/CHANGELOG (revision 19116)
+++ phpgwapi/doc/CHANGELOG (revision 19117)
@@ -1,3 +1,22 @@
+[0.9.16.014]
+ Security Release with bug fixes
+ * Remote File Disclosure in /addressbook/csv_import.php
+ * SQL injection in /login.php
+ * XSS in /login.php
+ * Local file inclusion and Remote file execution in
+ /addressbook/inc/class.uiXport.inc.php
+ All via Secunia - see SA35519
+
+ 0.9.14 -> 0.916 upgrade fixes
+
+ Addressbook usability fixes
+
+[0.9.16.013]
+ No release (stupid superstitious reasons)
+
+[0.9.16.012]
+ Upgrade phpsysinfo
+
[0.9.16.011]
Security Release with bug fixes
- Fix for Vulnerability in Calendar
Index: phpgwapi/inc/class.auth_sql.inc.php
===================================================================
--- phpgwapi/inc/class.auth_sql.inc.php (revision 19116)
+++ phpgwapi/inc/class.auth_sql.inc.php (revision 19117)
@@ -40,11 +40,15 @@
if ($passwd_type == 'md5')
{
+ if(!preg_match('/^[0-9a-f]*$/', $passwd))
+ {
+ return False;
+ }
$_passwd = $passwd;
}
$db->query("SELECT * FROM phpgw_accounts WHERE account_lid = '$username' AND "
- . "account_pwd='" . $_passwd . "' AND account_status ='A'",__LINE__,__FILE__);
+ . "account_pwd='$_passwd' AND account_status ='A'",__LINE__,__FILE__);
$db->next_record();
if ($db->f('account_lid'))
Index: login.php
===================================================================
--- login.php (revision 19116)
+++ login.php (revision 19117)
@@ -329,7 +329,7 @@
{
if (ereg('phpgw_',$name))
{
- $extra_vars .= '&' . $name . '=' . urlencode($value);
+ $extra_vars .= '&' . urlencode($name) . '=' . urlencode($value);
}
}
Index: addressbook/inc/class.uiXport.inc.php
===================================================================
--- addressbook/inc/class.uiXport.inc.php (revision 19116)
+++ addressbook/inc/class.uiXport.inc.php (revision 19117)
@@ -73,7 +73,8 @@
function import()
{
- if ($_REQUEST['convert']) //&& ($_FILES['tsvfile']['error'] == UPLOAD_ERR_OK))
+ $conv_type_a = $GLOBALS['phpgw']->session->appsession('conv_type_values_i', 'addressbook');
+ if ($_REQUEST['convert'] && is_array($conv_type_a) && in_array($_REQUEST['conv_type'], $conv_type_a)) //&& ($_FILES['tsvfile']['error'] == UPLOAD_ERR_OK))
{
$buffer = $this->bo->import($_FILES['tsvfile']['tmp_name'],$_REQUEST['conv_type'],$_REQUEST['private'],$_REQUEST['fcat_id']);
@@ -130,7 +131,7 @@
$fname = ereg_replace('_',' ',$myfilearray[$i]);
$conv .= '';
}
-
+ $GLOBALS['phpgw']->session->appsession('conv_type_values_i', 'addressbook', $myfilearray);
$this->template->set_var('lang_cancel',lang('Cancel'));
$this->template->set_var('lang_cat',lang('Select Category'));
$this->template->set_var('cancel_url',$GLOBALS['phpgw']->link('/index.php','menuaction=addressbook.uiaddressbook.index'));
@@ -173,7 +174,8 @@
//$entries = $this->bo->$get_data_function($fields, $this->limit, $this->start, $this->order, $this->sort, '', $criteria);
- if ($_REQUEST['convert'])
+ $conv_type_a = $GLOBALS['phpgw']->session->appsession('conv_type_values_e', 'addressbook');
+ if ($_REQUEST['convert'] && is_array($conv_type_a) && in_array($_REQUEST['conv_type'], $conv_type_a))
{
if ($_REQUEST['conv_type'] == 'none')
{
@@ -248,6 +250,7 @@
$conv .= ' '."\n";
}
+ $GLOBALS['phpgw']->session->appsession('conv_type_values_e', 'addressbook', $myfilearray);
$this->template->set_var('lang_cancel',lang('Cancel'));
$this->template->set_var('lang_cat',lang('Select Category'));
$this->template->set_var('cat_link',$this->cat_option($this->cat_id,False,False));
Index: addressbook/csv_import.php
===================================================================
--- addressbook/csv_import.php (revision 19116)
+++ addressbook/csv_import.php (revision 19117)
@@ -31,12 +31,20 @@
$GLOBALS['phpgw']->template->set_block('import','ffooter','ffooterhandle');
$GLOBALS['phpgw']->template->set_block('import','imported','importedhandle');
- $csvfile = isset($_POST['csvfile']) ? $_POST['csvfile'] : $_FILES['csvfile']['tmp_name'];
+ $csvfile = $_FILES['csvfile']['tmp_name'];
if($_POST['action'] == 'download' && (!$_POST['fieldsep'] || !$csvfile || !($fp=fopen($csvfile,'rb'))))
{
$_POST['action'] = '';
}
+ if($_POST['action'] == 'import')
+ {
+ $csvfile = $GLOBALS['phpgw']->session->appsession('import_data', 'addressbook');
+ if(!file_exists($csvfile))
+ {
+ $_POST['action'] = '';
+ }
+ }
$GLOBALS['phpgw']->template->set_var('action_url',$GLOBALS['phpgw']->link('/addressbook/csv_import.php'));
$PSep = '||'; // Pattern-Separator, separats the pattern-replacement-pairs in trans
@@ -175,9 +183,10 @@
$GLOBALS['phpgw']->template->set_var('max',200);
$GLOBALS['phpgw']->template->parse('ffooterhandle','ffooter');
fclose($fp);
- $old = $csvfile; $csvfile = $GLOBALS['phpgw_info']['server']['temp_dir'].'/addrbook_import_'.basename($csvfile);
- rename($old,$csvfile);
- $hiddenvars .= '';
+ $old = $csvfile; $csvfile = $GLOBALS['phpgw_info']['server']['temp_dir'].'/addrbook_import_'.$GLOBALS['phpgw_info']['user']['account_id'].'_'.basename($csvfile);
+ rename($old,$csvfile);
+ $GLOBALS['phpgw']->session->appsession('import_data', 'addressbook', $csvfile);
+ //$hiddenvars .= '';
$mktime_lotus = "${PSep}0?([0-9]+)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*)[ .:-]+0?([0-9]*).*$ASep@mktime(${VPre}4,${VPre}5,${VPre}6,${VPre}2,${VPre}3,${VPre}1)";
$help_on_trans = "How to use Translation's".
"Translations enable you to change / adapt the content of each CSV field for your needs.
".