Bug 607256 (CVE-2009-4896)

Summary: CVE-2009-4896 mlmmj: Directory traversal flaw by editing and saving list entries via php-admin web interface
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mfleming+rpm, thomas, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:57:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 611549    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-23 16:14:49 UTC 
Florian Streibelt reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=259968#c0

a directory traversal flaw in the way mlmmj (Mailing List Managing Made
Joyful), mailing list manager, processed users requests to edit and save
list entries, originating from php-admin web interface. A remote,
authenticated attacker could use these flaws to alter integrity of the system 
(write and / or delete arbitrary files) by providing a specially-crafted list
variable content to the edit or save request.

Vulnerable mlmmj versions:
  Issue originally reported against mlmmj-v1.2.16, but mlmmj-v1.2.17
  seems still to be affected.

CVE Request(s):
  [2] http://www.openwall.com/lists/oss-security/2010/06/23/5

Upstream bug report:
  [3] http://mlmmj.org/node/84
Comment 1 Jan Lieskovsky 2010-06-23 16:21:12 UTC 
Relevant mlmmj files, Florian references in [1], are:

1, 'edit' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/edit.php:
     71 function mlmmj_list($name, $nicename, $text)
     72 {
     73     global $tpl, $topdir, $list;
     74 
     75     $file = "$topdir/$list/control/$name";
     76     $value = "";
     ..
     100 $tpl = new rFastTemplate($templatedir);
     101 
     102 $list = $HTTP_GET_VARS["list"];
     103 
     104 if(!isset($list))
     105 die("no list specified");
     106 
     107 if(!is_dir($topdir."/".$list))
     108 die("non-existent list");

2, 'save' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/save.php:

     52 function mlmmj_list($name, $nicename, $text)
     53 {
     54     global $tpl, $topdir, $list,$HTTP_POST_VARS;
     55 
     56     $file = $topdir."/".$list."/control/".$name;
     57 
     58     if(!empty($HTTP_POST_VARS[$name]))
     59     {
     60         if (!$fp = fopen($file, "w"))
     61             die("Couldn't open ".$file." for writing");
     62 
     63         fwrite($fp, $HTTP_POST_VARS[$name]);
     64         fclose($fp);
     65     }
     66     else
     67         @unlink($file);
     68 
     69 }
     70 
     71 // Perl's encode_entities (to be able to use tunables.pl)
     72 function encode_entities($str) { return htmlentities($str); }
     73 
     74 
     75 $tpl = new rFastTemplate($templatedir);
     76 
     77 $list = $HTTP_POST_VARS["list"];
     78 
     79 if(!isset($list))
     80 die("no list specified");
     81 
     82 if(!is_dir($topdir."/".$list))
     83 die("non-existent list");
Comment 2 Jan Lieskovsky 2010-06-23 16:22:17 UTC 
This issue affects the versions of the mlmmj package, as shipped with
Fedora releases of 11, 12, and 13.

This issue affects the versions of the mlmmj package, as present within
EPEL-4 and EPEL-5 repositories.
Comment 3 Vincent Danen 2010-07-05 14:40:22 UTC 
This has been assigned the name CVE-2009-4896:

http://www.openwall.com/lists/oss-security/2010/06/25/2
Comment 4 Vincent Danen 2010-07-05 14:41:07 UTC 
Created mlmmj tracking bugs for this issue

Affects: fedora-all [bug 611549]
Comment 5 Thomas Goirand 2010-08-03 21:40:00 UTC 
Hi,

I'm a Debian developer and I made a patch for this issue as follow. This has been approved by upstream author. I believe that you could apply it in RedHat as well, as the current maintainer said he wouldn't fix right away.

I hope this helps,

Thomas Goirand (zigo)


#!/bin/sh /usr/share/dpatch/dpatch-run
## 07_fix_CVE-2009-4896_php-admin_directory_traversal.patch by <zigo>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes directory traversal CVE-2009-4896 (Closes: #588038).

@DPATCH@
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:42:23.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:49:34.000000000 +0800
@@ -104,6 +104,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:42:28.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:49:09.000000000 +0800
@@ -79,6 +79,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
Comment 6 Product Security DevOps Team 2019-06-10 10:57:01 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.