Bug 607256 - (CVE-2009-4896) CVE-2009-4896 mlmmj: Directory traversal flaw by editing and saving list entries via php-admin web interface
CVE-2009-4896 mlmmj: Directory traversal flaw by editing and saving list entr...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20090223,reported=20100622,sou...
: Security
Depends On: 611549
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-23 12:14 EDT by Jan Lieskovsky
Modified: 2010-08-03 17:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-23 12:14:49 EDT
Florian Streibelt reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=259968#c0

a directory traversal flaw in the way mlmmj (Mailing List Managing Made
Joyful), mailing list manager, processed users requests to edit and save
list entries, originating from php-admin web interface. A remote,
authenticated attacker could use these flaws to alter integrity of the system 
(write and / or delete arbitrary files) by providing a specially-crafted list
variable content to the edit or save request.

Vulnerable mlmmj versions:
  Issue originally reported against mlmmj-v1.2.16, but mlmmj-v1.2.17
  seems still to be affected.

CVE Request(s):
  [2] http://www.openwall.com/lists/oss-security/2010/06/23/5

Upstream bug report:
  [3] http://mlmmj.org/node/84
Comment 1 Jan Lieskovsky 2010-06-23 12:21:12 EDT
Relevant mlmmj files, Florian references in [1], are:

1, 'edit' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/edit.php:
     71 function mlmmj_list($name, $nicename, $text)
     72 {
     73     global $tpl, $topdir, $list;
     74 
     75     $file = "$topdir/$list/control/$name";
     76     $value = "";
     ..
     100 $tpl = new rFastTemplate($templatedir);
     101 
     102 $list = $HTTP_GET_VARS["list"];
     103 
     104 if(!isset($list))
     105 die("no list specified");
     106 
     107 if(!is_dir($topdir."/".$list))
     108 die("non-existent list");

2, 'save' case:

BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/save.php:

     52 function mlmmj_list($name, $nicename, $text)
     53 {
     54     global $tpl, $topdir, $list,$HTTP_POST_VARS;
     55 
     56     $file = $topdir."/".$list."/control/".$name;
     57 
     58     if(!empty($HTTP_POST_VARS[$name]))
     59     {
     60         if (!$fp = fopen($file, "w"))
     61             die("Couldn't open ".$file." for writing");
     62 
     63         fwrite($fp, $HTTP_POST_VARS[$name]);
     64         fclose($fp);
     65     }
     66     else
     67         @unlink($file);
     68 
     69 }
     70 
     71 // Perl's encode_entities (to be able to use tunables.pl)
     72 function encode_entities($str) { return htmlentities($str); }
     73 
     74 
     75 $tpl = new rFastTemplate($templatedir);
     76 
     77 $list = $HTTP_POST_VARS["list"];
     78 
     79 if(!isset($list))
     80 die("no list specified");
     81 
     82 if(!is_dir($topdir."/".$list))
     83 die("non-existent list");
Comment 2 Jan Lieskovsky 2010-06-23 12:22:17 EDT
This issue affects the versions of the mlmmj package, as shipped with
Fedora releases of 11, 12, and 13.

This issue affects the versions of the mlmmj package, as present within
EPEL-4 and EPEL-5 repositories.
Comment 3 Vincent Danen 2010-07-05 10:40:22 EDT
This has been assigned the name CVE-2009-4896:

http://www.openwall.com/lists/oss-security/2010/06/25/2
Comment 4 Vincent Danen 2010-07-05 10:41:07 EDT
Created mlmmj tracking bugs for this issue

Affects: fedora-all [bug 611549]
Comment 5 Thomas Goirand 2010-08-03 17:40:00 EDT
Hi,

I'm a Debian developer and I made a patch for this issue as follow. This has been approved by upstream author. I believe that you could apply it in RedHat as well, as the current maintainer said he wouldn't fix right away.

I hope this helps,

Thomas Goirand (zigo)


#!/bin/sh /usr/share/dpatch/dpatch-run
## 07_fix_CVE-2009-4896_php-admin_directory_traversal.patch by <zigo@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes directory traversal CVE-2009-4896 (Closes: #588038).

@DPATCH@
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:42:23.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/edit.php	2010-07-18 21:49:34.000000000 +0800
@@ -104,6 +104,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 
--- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:42:28.000000000 +0800
+++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/save.php	2010-07-18 21:49:09.000000000 +0800
@@ -79,6 +79,9 @@
 if(!isset($list))
 die("no list specified");
 
+if ( dirname( realpath($topdir."/".$list) ) != $topdir)
+die("Access not in topdir forbidden");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");

Note You need to log in before you can comment on or make changes to this bug.