Bug 951562 - (CVE-2013-1939) CVE-2013-1939 php-sabredav-Sabre_DAV: Local file exposure due improper icons / images path checking in the HTML Browser plug-in
CVE-2013-1939 php-sabredav-Sabre_DAV: Local file exposure due improper icons ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 951568 951569
  Show dependency treegraph
Reported: 2013-04-12 09:38 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:03 EDT (History)
1 user (show)

See Also:
Fixed In Version: SabreDAV 1.6.9, SabreDAV 1.7.7, SabreDav 1.8.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-28 14:57:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-04-12 09:38:02 EDT
A local file exposure flaw was found in the way HTML browser plug-in of SabreDAV, a WebDAV framework for the PHP language, processed certain file system paths for icon and image files on certain platforms. A remote attacker could provide a specially-crafted icon / image file location that, when processed by an application using the SabreDav framework, would allow them to (remotely) obtain arbitary system file, accessible with the privileges of that SabreDAV application.

[1] https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ
[2] http://www.openwall.com/lists/oss-security/2013/04/11/3

Relevant upstream patch (seems to be the following):
[3] https://github.com/evert/SabreDAV/commit/5f6d71b2c4e2d3c6fc32c20afe7331e38877c489
Comment 1 Jan Lieskovsky 2013-04-12 09:40:05 EDT
This issue affects the versions of the php-sabredav-Sabre_DAV package, as shipped with Fedora release of 17 and 18. Please schedule an update.


This issue affects the version of the php-sabredav-Sabre_DAV package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-04-12 09:41:08 EDT
Created php-sabredav-Sabre_DAV tracking bugs for this issue

Affects: fedora-all [bug 951568]
Affects: epel-6 [bug 951569]
Comment 3 Jan Lieskovsky 2013-04-12 09:58:07 EDT
Suggested workaround (from [1]):
As a workaround, you setup the plugin as such:

// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);

// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);

To disable this feature completely.
Comment 4 Fedora Update System 2013-05-24 15:09:46 EDT
php-sabredav-Sabre_DAV-1.6.5-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Joseph Marrero 2013-08-28 14:57:16 EDT
Fixed back porting the upstream fix. Been fixed since 05/24/2013.

Note You need to log in before you can comment on or make changes to this bug.