Hello,
check out this new DSA:
http://www.debian.org/security/2005/dsa-650
It patches this bug, found by me for the project:
--- Forwarded e-mail ---
Hello,
I have found some arbitrary command execution bugs in diatheke. They affect
stable, testing and unstable.
The code has big problems with filtering data that will be used in command
lines, so you just type in something like this as a Verse or Search key in its
CGI web interface:
" | uname -a #
This will execute the command "uname -a" on the server. An attacker might just
have to visit a URI looking something like this:
http://some.host/cgi-bin/diatheke.pl?search=&verse=%22+%7C+id%3B+uname+-a%3B+cat+%2Fetc%2Fpasswd+%23&Submit=Submit&strongs=on&headings=on&footnotes=on&scriprefs=on&morph=on&hebvowels=on&lemmas=on&grkacc=on
There are other CGI parameters than "verse" that are affected by this, but they
are not all decoded from their URL-encoded state, which might make them
slightly harder to exploit.
// Ulf Harnhammar for the Debian Security Audit Project
|
