Description of problem:
The Diatheke CGI allows arbitrary command execution in the context of
the webserver, e.g. www-data by simply abusing the range parameter.
For example, &range=`yes` will consume tons of resources on the affected
webserver. Escalation of privleges and command shells are left as an
exercise to the reader.
From Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466449
Gentoo, patch: dhttp://bugs.gentoo.org/show_bug.cgi?id=210754
sword-1.5.10-2.fc7 has been submitted as an update for Fedora 7
sword-1.5.10-2.fc8 has been submitted as an update for Fedora 8
sword-1.5.10-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
sword-1.5.10-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Do Fedora sword packages really need this patch? I fail to see diatheke.pl in
any of the sword non-source RPMs...
Fedora packages were updated, however, we do not seem to ship affected script.
Closing as notabug.