[Secure-testing-team] Bug#703290: davical: possible code insertion or XSS

[Christoph Anton Mitterer]

Package: davical
Version: 1.1.1-1
Severity: grave
Tags: security upstream
Justification: user security hole


Hi.

Marking this as grave for now, so that the security team get's notified
and can have a look whether this is more serious.
I personally think it's not that serious and the checking security team
member can likley lower the severity. (thanks)

In Davical's /usr/share/davical/htdocs/setup.php there's code
that shows one whether the current version is used.

check_davical_version() does about this:
  $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
  $version_file = @fopen($url, 'r');
  if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
  $current_version = trim(fread( $version_file,12));
  fclose($version_file);
  $result = new CheckResult($c->version_string == $current_version);
  if ( ! $result->getOK() ) {
    if ( $c->version_string > $current_version ) {
      $result->setClass('dep_ok');
      $result->setDescription( sprintf(i18n('Stable: %s, We have: %s !'), $current_version, $c->version_string) );
    }
    else {
      $result->setDescription( sprintf(i18n('Want: %s, Currently: %s'), $current_version, $c->version_string) );^M
    }
  }


1) The URL is not SSL secure... but even if,... that wouldn't change anything IMHO.

2) An attacker can possibly insert up to 12 characters into $current_version
which are then not checked for their content.
That 12 characters are subsequentally sprintf-ed into HTML which is set to the user.


Well I don't know whether one can do any nasty things in 12 characters... but there
are kinda freaks out there.


Workaround for now would be to set:
http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen to On.


Cheers,
Chris.