[Pkg-mediawiki-devel] Bug#685324: Local File Inclusion Vulnerability in contrib script

Jan Dittberner jandd at debian.org
Sat Aug 25 12:32:06 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 21, 2012 at 11:41:43PM +0100, Steven Chamberlain wrote:
> Bug affects an example script in the documentation only.
> 
> Untrusted paths are used by file() and opendir().  A patch committed
> upstream tries to sanitise the inputs. [1]
> 
> But these and other user-supplied data are still echoed out unescaped,
> so I think would allow XSS if someone used the script on a public-facing
> webserver.  The code looks like it might have all sorts of other issues.
> 
> It seems obsoleted by cssgen2.php, which does not need to accept user
> input at all.  That is distributed already in php-geshi 1.0.8.4-1.
> 
> So I suggest removing the cssgen.php file altogether.  Thank you.

Thanks for this suggestion. I will prepare an upload that removes this file
from the examples directory and  will ask the release team for a freeze
exception.

On Thu, Aug 23, 2012 at 11:23:10AM +0200, Thorsten Glaser wrote:
> On Tue, 21 Aug 2012, Benny Baumann wrote:
> 
> > Given exactly the
> > 2-3 years this package will be in stable/oldstable is the reason why
> > there should be an update to something reasonably recent before the
> > package is put into a distribution.
> 
> Sorry, it’s now too late for that. In May, something could have
> been done, but not now. No new upstream versions, any more.
> 
> (That being said, updating it in sid now would be reasonable,
> and wheezy users could just pull that package from sid.)

If the change suggested above by Steven will be accepted by the release team
I will upload a new upstream version to unstable after the fixed version
migrated to testing.


Best regards
Jan Dittberner

- -- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://www.dittberner.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQOMWwAAoJEKc+AFVVj7jdlYAP/1wjGorkFP5AYXcNosldfrEo
7di9kkXY3yZ2JMwFilRcqhraE0LV7l6TjlA9KfdWc6NlsDut+ctBdvFPNTXy+S3c
0JYPj0Uku18e1Mbsb86rZoKnGSQa8gMQzIUP+quoo9RECD+ftW53inLlRcc86D7D
T9r4GTzOEUlYi7K6pso/w1wpueVMP6SQ5X8gFYUF2qPfovWyWn7GxOiK7pi7ptYZ
oVqx222h59cU1jqc5CSVwMlBCPKicXbbqkVgeWg5VbVYJe073S3Ma2GaGDeR/arm
A1wmWa6T8P0PtEHyNxp/zDDBGkkZio7iouKWIu6xSkplF/hTEmSKpXxbJ3yELsYA
vMXCgq1xqHG+sxHC4ZTl9uSJzgaeo+dJFwALgX1FFkV9JE9lMjP94UvFFB526D+I
WE/do/rpDQX63r+Wc6JaJcu8WPZfYxaURrsdeWgtX2eav6Xxig0iFbRX6X04MMBe
Hkdzt3zKBbuhl5iE5CNyaV3b6KXWvJHWgXk6LFAyihsgNoDl1S764cgpigHWWGc6
kOaw5Mh/k3gByO+CrkRsW02dWiRKJZFSyq/xgrYDhKU8OQWtw2jbOW83akP48oJS
0cJALQmM7gwe9e1uMhIVCnB5qZ/RvETtYDOci/evmDGAsv4vUu/Qojrt4Tr5FEDo
w5IatTgV++THDTfV0QAd
=SOA9
-----END PGP SIGNATURE-----

More information about the Pkg-mediawiki-devel mailing list