Bug 607256 (CVE-2009-4896) - CVE-2009-4896 mlmmj: Directory traversal flaw by editing and saving list entries via php-admin web interface
Summary: CVE-2009-4896 mlmmj: Directory traversal flaw by editing and saving list entr...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2009-4896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 611549
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-23 16:14 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:57:01 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-06-23 16:14:49 UTC
Florian Streibelt reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=259968#c0

a directory traversal flaw in the way mlmmj (Mailing List Managing Made
Joyful), mailing list manager, processed users requests to edit and save
list entries, originating from php-admin web interface. A remote,
authenticated attacker could use these flaws to alter integrity of the system 
(write and / or delete arbitrary files) by providing a specially-crafted list
variable content to the edit or save request.

Vulnerable mlmmj versions:
  Issue originally reported against mlmmj-v1.2.16, but mlmmj-v1.2.17
  seems still to be affected.

CVE Request(s):
  [2] http://www.openwall.com/lists/oss-security/2010/06/23/5

Upstream bug report:
  [3] http://mlmmj.org/node/84

Comment 1 Jan Lieskovsky 2010-06-23 16:21:12 UTC
Relevant mlmmj files, Florian references in [1], are:

1, 'edit' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/edit.php:
     71 function mlmmj_list($name, $nicename, $text)
     72 {
     73     global $tpl, $topdir, $list;
     74 
     75     $file = "$topdir/$list/control/$name";
     76     $value = "";
     ..
     100 $tpl = new rFastTemplate($templatedir);
     101 
     102 $list = $HTTP_GET_VARS["list"];
     103 
     104 if(!isset($list))
     105 die("no list specified");
     106 
     107 if(!is_dir($topdir."/".$list))
     108 die("non-existent list");

2, 'save' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/save.php:

     52 function mlmmj_list($name, $nicename, $text)
     53 {
     54     global $tpl, $topdir, $list,$HTTP_POST_VARS;
     55 
     56     $file = $topdir."/".$list."/control/".$name;
     57 
     58     if(!empty($HTTP_POST_VARS[$name]))
     59     {
     60         if (!$fp = fopen($file, "w"))
     61             die("Couldn't open ".$file." for writing");
     62 
     63         fwrite($fp, $HTTP_POST_VARS[$name]);
     64         fclose($fp);
     65     }
     66     else
     67         @unlink($file);
     68 
     69 }
     70 
     71 // Perl's encode_entities (to be able to use tunables.pl)
     72 function encode_entities($str) { return htmlentities($str); }
     73 
     74 
     75 $tpl = new rFastTemplate($templatedir);
     76 
     77 $list = $HTTP_POST_VARS["list"];
     78 
     79 if(!isset($list))
     80 die("no list specified");
     81 
     82 if(!is_dir($topdir."/".$list))
     83 die("non-existent list");

Comment 2 Jan Lieskovsky 2010-06-23 16:22:17 UTC
This issue affects the versions of the mlmmj package, as shipped with
Fedora releases of 11, 12, and 13.

This issue affects the versions of the mlmmj package, as present within
EPEL-4 and EPEL-5 repositories.

Comment 3 Vincent Danen 2010-07-05 14:40:22 UTC
This has been assigned the name CVE-2009-4896:

http://www.openwall.com/lists/oss-security/2010/06/25/2

Comment 4 Vincent Danen 2010-07-05 14:41:07 UTC
Created mlmmj tracking bugs for this issue

Affects: fedora-all [bug 611549]

Comment 5 Thomas Goirand 2010-08-03 21:40:00 UTC
Hi,

I'm a Debian developer and I made a patch for this issue as follow. This has been approved by upstream author. I believe that you could apply it in RedHat as well, as the current maintainer said he wouldn't fix right away.

I hope this helps,

Thomas Goirand (zigo)


#!/bin/sh /usr/share/dpatch/dpatch-run
## 07_fix_CVE-2009-4896_php-admin_directory_traversal.patch by <zigo@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes directory traversal CVE-2009-4896 (Closes: #588038).

@DPATCH@
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:42:23.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:49:34.000000000 +0800
@@ -104,6 +104,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:42:28.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:49:09.000000000 +0800
@@ -79,6 +79,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");

Comment 6 Product Security DevOps Team 2019-06-10 10:57:01 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.