[sword-devel] Fwd: Bug#466449: diatheke: Diatheke allows arbitrary command execution using the range parameter

Peter von Kaehne refdoc at gmx.net
Mon Oct 27 12:01:14 MST 2008


Incidentally this was reported in 2007 to the mailing list, but it
appears that on neither occasion anything changed.

Should we not at least either take down diatheke.pl or change the
associated readme into something that make it abundantly clear that this
is not a working cgi script but solely demontration code?

swordweb is great, but maybe overkill for some. At the moment we are
listed on Secunia as having an open critical bug since 2/08

Peter


Peter von Kaehne wrote:
> Is this fixed?
> 
> Daniel Glassey wrote:
>> Is there anyone that understands diatheke that can verify and diagnose
>> this asap?
>>
>> Daniel
>>
>> P.S. Since it is a security bug why was it made public before there
>> was a chance to fix it?
>>
>> ---------- Forwarded message ----------
>> From: Dan Dennison <dan at thedennisons.org>
>> Date: 18 Feb 2008 20:35
>> Subject: Bug#466449: diatheke: Diatheke allows arbitrary command
>> execution using the range parameter
>> To: Debian Bug Tracking System <submit at bugs.debian.org>
>>
>>
>> Package: diatheke
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>>
>> The Diatheke CGI allows arbitrary command execution in the context of
>> the webserver, e.g. www-data by simply abusing the range parameter.
>>
>> For example, &range=`yes` will consume tons of resources on the affected
>> webserver. Escalation of privleges and command shells are left as an
>> exercise to the reader.
>>
>> -- System Information:
>> Debian Release: lenny/sid
>>   APT prefers unstable
>>   APT policy: (500, 'unstable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 2.6
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh
>>
>> Versions of packages diatheke depends on:
>> ii  libc6                 2.7-8              GNU C Library: Shared libraries
>> ii  libcomerr2            1.40.6-1           common error description library
>> ii  libgcc1               1:4.3-20080202-1   GCC support library
>> ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
>> ii  libldap-2.4-2         2.4.7-5            OpenLDAP libraries
>> ii  libstdc++6            4.3-20080202-1     The GNU Standard C++ Library v3
>> ii  libsword6             1.5.9-7.1          API/library for bible software
>> ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime
>>
>> Versions of packages diatheke recommends:
>> ii  apache2                       2.2.8-1    Next generation, scalable, extenda
>> ii  apache2-mpm-prefork [httpd]   2.2.8-1    Traditional model for Apache HTTPD
>>
>>
>>
>>
> 
> 
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page




More information about the sword-devel mailing list