[sword-devel] Fwd: Bug#466449: diatheke: Diatheke allows arbitrary command execution using the range parameter

Peter von Kaehne refdoc at gmx.net
Mon Oct 27 16:57:57 MST 2008 

Reported in 2005 here:

http://securitytracker.com/alerts/2005/Jan/1012961.html


Peter von Kaehne wrote:
> Incidentally this was reported in 2007 to the mailing list, but it
> appears that on neither occasion anything changed.
> 
> Should we not at least either take down diatheke.pl or change the
> associated readme into something that make it abundantly clear that this
> is not a working cgi script but solely demontration code?
> 
> swordweb is great, but maybe overkill for some. At the moment we are
> listed on Secunia as having an open critical bug since 2/08
> 
> Peter
> 
> 
> Peter von Kaehne wrote:
>> Is this fixed?
>>
>> Daniel Glassey wrote:
>>> Is there anyone that understands diatheke that can verify and diagnose
>>> this asap?
>>>
>>> Daniel
>>>
>>> P.S. Since it is a security bug why was it made public before there
>>> was a chance to fix it?
>>>
>>> ---------- Forwarded message ----------
>>> From: Dan Dennison <dan at thedennisons.org>
>>> Date: 18 Feb 2008 20:35
>>> Subject: Bug#466449: diatheke: Diatheke allows arbitrary command
>>> execution using the range parameter
>>> To: Debian Bug Tracking System <submit at bugs.debian.org>
>>>
>>>
>>> Package: diatheke
>>> Severity: critical
>>> Tags: security
>>> Justification: root security hole
>>>
>>> The Diatheke CGI allows arbitrary command execution in the context of
>>> the webserver, e.g. www-data by simply abusing the range parameter.
>>>
>>> For example, &range=`yes` will consume tons of resources on the affected
>>> webserver. Escalation of privleges and command shells are left as an
>>> exercise to the reader.
>>>
>>> -- System Information:
>>> Debian Release: lenny/sid
>>>   APT prefers unstable
>>>   APT policy: (500, 'unstable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 2.6
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh
>>>
>>> Versions of packages diatheke depends on:
>>> ii  libc6                 2.7-8              GNU C Library: Shared libraries
>>> ii  libcomerr2            1.40.6-1           common error description library
>>> ii  libgcc1               1:4.3-20080202-1   GCC support library
>>> ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
>>> ii  libldap-2.4-2         2.4.7-5            OpenLDAP libraries
>>> ii  libstdc++6            4.3-20080202-1     The GNU Standard C++ Library v3
>>> ii  libsword6             1.5.9-7.1          API/library for bible software
>>> ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime
>>>
>>> Versions of packages diatheke recommends:
>>> ii  apache2                       2.2.8-1    Next generation, scalable, extenda
>>> ii  apache2-mpm-prefork [httpd]   2.2.8-1    Traditional model for Apache HTTPD
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
> 
> 
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page

More information about the sword-devel mailing list