Bug 951562 (CVE-2013-1939) - CVE-2013-1939 php-sabredav-Sabre_DAV: Local file exposure due improper icons / images path checking in the HTML Browser plug-in
Summary: CVE-2013-1939 php-sabredav-Sabre_DAV: Local file exposure due improper icons ...
Alias: CVE-2013-1939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 951568 951569
TreeView+ depends on / blocked
Reported: 2013-04-12 13:38 UTC by Jan Lieskovsky
Modified: 2019-09-29 13:02 UTC (History)
1 user (show)

Fixed In Version: SabreDAV 1.6.9, SabreDAV 1.7.7, SabreDav 1.8.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-08-28 18:57:16 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2013-04-12 13:38:02 UTC
A local file exposure flaw was found in the way HTML browser plug-in of SabreDAV, a WebDAV framework for the PHP language, processed certain file system paths for icon and image files on certain platforms. A remote attacker could provide a specially-crafted icon / image file location that, when processed by an application using the SabreDav framework, would allow them to (remotely) obtain arbitary system file, accessible with the privileges of that SabreDAV application.

[1] https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ
[2] http://www.openwall.com/lists/oss-security/2013/04/11/3

Relevant upstream patch (seems to be the following):
[3] https://github.com/evert/SabreDAV/commit/5f6d71b2c4e2d3c6fc32c20afe7331e38877c489

Comment 1 Jan Lieskovsky 2013-04-12 13:40:05 UTC
This issue affects the versions of the php-sabredav-Sabre_DAV package, as shipped with Fedora release of 17 and 18. Please schedule an update.


This issue affects the version of the php-sabredav-Sabre_DAV package, as shipped with Fedora EPEL-6. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-04-12 13:41:08 UTC
Created php-sabredav-Sabre_DAV tracking bugs for this issue

Affects: fedora-all [bug 951568]
Affects: epel-6 [bug 951569]

Comment 3 Jan Lieskovsky 2013-04-12 13:58:07 UTC
Suggested workaround (from [1]):
As a workaround, you setup the plugin as such:

// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);

// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);

To disable this feature completely.

Comment 4 Fedora Update System 2013-05-24 19:09:46 UTC
php-sabredav-Sabre_DAV-1.6.5-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Joseph Marrero 2013-08-28 18:57:16 UTC
Fixed back porting the upstream fix. Been fixed since 05/24/2013.

Note You need to log in before you can comment on or make changes to this bug.