[Secure-testing-team] Bug#703128: davical: errors when accessing some php files as non-admin user

[Christoph Anton Mitterer]

Source: davical
Version: 1.1.1-1
Severity: grave
Tags: security


Hi.

Marking this as important and security, as such ungracefull errors tend to be
prone to attacks.

When accessing several of the /usr/share/davical/htdocs/*.php files as
a non-admin user (that means e.g. HTTP Basic autht or a session-cookie for
a non-admin user) are present... some weird and potentially security-relevant
 errors occur:

1) admin.php -> davical page with the message "No page found to a"

2) setup.php -> user get's the whole setup page... including the ability to
see the whole phpinfo()  output... which contains all kind of private
environment information that might be used by an attacker.
Therefore the severity: grave.

3) tools.php
XML Parsing Error: no element found
Location: https://.../tools.php
Line Number 1, Column 1:
^

4) tz.php
<?xml version="1.0" encoding="utf-8" ?>
<error xmlns="urn:ietf:params:xml:ns:timezone-service">
  <supported-action/>The action "" is not understood.
</error>



always.php -> OK (redirects to index.php)
help.php -> OK
index.php -> OK
caldav.php -> OK (outside of the scope of admin-pages auth/z system)
feed.php -> OK (outside of the scope of admin-pages auth/z system)
freebusy.php -> OK (outside of the scope of admin-pages auth/z system)
iSchedule.php -> daivcal page with the message "You are not authorised to use this function."
public.php -> message "Anonymous users may only access public calendars"
upgrade.php -> daivcal page with the message "You are not authorised to use this function."



Cheers,
Chris.


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash