[sword-devel] Fwd: Bug#466449: diatheke: Diatheke allows arbitrary command execution using the range parameter

Peter von Kaehne refdoc at gmx.net
Mon Oct 27 09:51:46 MST 2008 

Is this fixed?

Daniel Glassey wrote:
> Is there anyone that understands diatheke that can verify and diagnose
> this asap?
> 
> Daniel
> 
> P.S. Since it is a security bug why was it made public before there
> was a chance to fix it?
> 
> ---------- Forwarded message ----------
> From: Dan Dennison <dan at thedennisons.org>
> Date: 18 Feb 2008 20:35
> Subject: Bug#466449: diatheke: Diatheke allows arbitrary command
> execution using the range parameter
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> 
> 
> Package: diatheke
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> The Diatheke CGI allows arbitrary command execution in the context of
> the webserver, e.g. www-data by simply abusing the range parameter.
> 
> For example, &range=`yes` will consume tons of resources on the affected
> webserver. Escalation of privleges and command shells are left as an
> exercise to the reader.
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh
> 
> Versions of packages diatheke depends on:
> ii  libc6                 2.7-8              GNU C Library: Shared libraries
> ii  libcomerr2            1.40.6-1           common error description library
> ii  libgcc1               1:4.3-20080202-1   GCC support library
> ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
> ii  libldap-2.4-2         2.4.7-5            OpenLDAP libraries
> ii  libstdc++6            4.3-20080202-1     The GNU Standard C++ Library v3
> ii  libsword6             1.5.9-7.1          API/library for bible software
> ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime
> 
> Versions of packages diatheke recommends:
> ii  apache2                       2.2.8-1    Next generation, scalable, extenda
> ii  apache2-mpm-prefork [httpd]   2.2.8-1    Traditional model for Apache HTTPD
> 
> 
> 
>

More information about the sword-devel mailing list