[UNIX] P4DB Multiple Vulnerabilities

2004-05-17T00:00:00
ID SECURITYVULNS:DOC:6222
Type securityvulns
Reporter Securityvulns
Modified 2004-05-17T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


P4DB Multiple Vulnerabilities

SUMMARY

<http://www.mydata.se/ftp/P4DB/> P4DB is a CGI based tool that provides a web-based interface to Perforce source code repositories. It is third-party software, developed by an individual and unsupported by Perforce.

There are many input validation problems in P4DB that allow the running of arbitrary shell commands on the web server's system. In addition there are numerous cross-site scripting bugs throughout the package.

DETAILS

Vulnerable Systems: * P4DB version 2.01 and prior

P4DB suffers from multiple security issues, the worst of which is unfiltered variable input passed directly to shell commands. Using crafted URLs it would be possible for an attacker to run arbitrary commands on the web server. Other issues include multiple XSS vulnerabilities throughout the code.

Vendor Status: The original developer of P4DB, Fredric Fredricson, appears to have dropped off the Internet. He did not respond to inquiries made in late March, 2004. The most recent release of P4DB was in 2001. He has submitted a multitude of changes to the package source in the public Perforce repository (as recently as March, 2004), but the security issues are still present in that code.

Perforce were contacted regarding the security issues mentioned. It is recommended that P4DB will migrate to P4Web, a free package that provides the same functionality, developed and maintained by Perforce themselves. It can be found at <http://www.perforce.com/perforce/products/p4web.html> http://www.perforce.com/perforce/products/p4web.html.

Patch Availability: An unofficial patch is presented here which should mitigate the mentioned vulnerabilities for those who still do not wish to migrate their systems:

diff -Nur p4db.orig/P4CGI.pm p4db/P4CGI.pm --- p4db.orig/P4CGI.pm Mon Apr 12 11:33:17 2004 +++ p4db/P4CGI.pm Tue Apr 20 15:06:56 2004 @@ -438,6 +438,11 @@ my ( $par, @command ) = @_; my $partype = ref $par ; push @ERRLOG,"p4call(<$partype>,@command)" ; + + # Unfortunately, we can't filter out " and >, since they're used to quote + # the arguments, and redirect output. Bummer. We'll just hope that everyone + # else filtered things OK. + &bail("Invalid P4 command @command") if ("$P4 @command" =~ /['`&;|<\!()\$\\]/); if(!$partype) { open( $par, "$P4 @command|" ) || &bail( "$P4 @command failed" ); return ; diff -Nur p4db.orig/SetPreferences.cgi p4db/SetPreferences.cgi --- p4db.orig/SetPreferences.cgi Mon Apr 12 11:28:37 2004 +++ p4db/SetPreferences.cgi Mon Apr 12 11:55:49 2004 @@ -14,6 +14,7 @@ #################################################################

my $newp = &P4CGI::cgi()->param("SET_PREFERENCES") ; +$newp = "Yes" if defined $newp; my $fullURL = &P4CGI::cgi()->url(-full=>1) ;

if((defined $newp) and diff -Nur p4db.orig/branchView.cgi p4db/branchView.cgi --- p4db.orig/branchView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/branchView.cgi Mon Apr 12 11:55:49 2004 @@ -19,6 +19,7 @@ ### my $branch = P4CGI::cgi()->param("BRANCH") ; &P4CGI::bail("No branch specified") unless defined $branch ; +&P4CGI::bail("Invalid branch specified") if $branch =~ /[<>"&:;'`]/;

### diff -Nur p4db.orig/changeByUsers.cgi p4db/changeByUsers.cgi --- p4db.orig/changeByUsers.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeByUsers.cgi Wed Apr 21 09:37:10 2004 @@ -15,8 +15,11 @@

my $FSPC = &P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);

my $COMPLETE= &P4CGI::cgi()->param("COMPLETE") ; +&P4CGI::bail("Invalid COMPLETE flag.") + unless (!defined($COMPLETE) || ($COMPLETE =~ /^\w+^/));

my @legend ; diff -Nur p4db.orig/changeList.cgi p4db/changeList.cgi --- p4db.orig/changeList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeList.cgi Tue Apr 20 15:10:49 2004 @@ -96,6 +96,9 @@ $filespec = "//..." unless defined $filespec ; $filespec =~ s/\s\+\s\/\//\/\//g ; # replace <space>+<space>// with // # where <space> is 0 or more whitespace charcaters + +&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/); + my @FSPC = map { if($) { "//".$ ; } @@ -107,6 +110,7 @@ # my $LABEL = P4CGI::cgi()->param("LABEL") ; if(defined $LABEL and $LABEL eq "-") { $LABEL = undef ; } ; +&P4CGI::bail("Invalid label.") if ($LABEL =~ /[<>"&:;'`]/);

# # Check that FSPC or LABEL is specified @@ -120,18 +124,22 @@ # my $EXLABEL = &P4CGI::cgi()->param("EXLABEL") ; if(defined $EXLABEL and $EXLABEL eq "-") { $EXLABEL = undef ; } ; +&P4CGI::bail("Invalid label to exclude.") if ($EXLABEL =~ /[<>"&:;'`]/);

# # Get status # my $STATUS = &P4CGI::cgi()->param("STATUS") ; unless(defined $STATUS) { $STATUS = "submitted" ; } ; +unless ($STATUS =~ /^\w+$/) { &P4CGI::bail("Invalid status."); };

# # Get max changes to display # my $MAXCH = P4CGI::cgi()->param("MAXCH") ; $MAXCH = &P4CGI::MAX_CHANGES() unless(defined $MAXCH) ; +unless ($MAXCH =~ /^\d+$/) { + &P4CGI::bail("Invalid value for the maximum number of changes ."); };

# # Get first change No. to display and offset from start @@ -140,7 +148,13 @@ my $CHOFFSET=0 ; if(defined $MAXCH) { $FIRSTCH = P4CGI::cgi()->param("FIRSTCH") ; + unless (!defined($FIRSTCH) || ($FIRSTCH =~ /^\d+$/)) { + &P4CGI::bail("Invalid value for the starting change number."); + } $CHOFFSET = P4CGI::cgi()->param("CHOFFSETDISP") ; + unless (!defined($CHOFFSET) || ($CHOFFSET =~ /^\d+$/)) { + &P4CGI::bail("Invalid value for the change number offset."); + } }

@@ -152,7 +166,10 @@ # my $SEARCHDESC = &P4CGI::cgi()->param("SEARCHDESC") ; $SEARCHDESC=undef if defined $SEARCHDESC and $SEARCHDESC eq "" ; +&P4CGI::bail("Invalid search terms.") if ($SEARCHDESC =~ /[<>"&:;'`]/); + my $SEARCH_INVERT = &P4CGI::cgi()->param("SEARCH_INVERT") ; +&P4CGI::bail("Invalid search terms.") if ($SEARCH_INVERT =~ /[<>"&:;'`]/);

my $USER = &P4CGI::cgi()->param("USER") ; { @@ -167,6 +184,8 @@ } } $USER=undef if defined $USER and $USER eq "" ; +&P4CGI::bail("Invalid user(s).") + unless (!defined($USER) || ($USER =~ /^\w+(,\w+)*$/));

my $GROUP = &P4CGI::cgi()->param("GROUP") ; { @@ -181,10 +200,11 @@ } } $GROUP=undef if defined $GROUP and $GROUP eq "" ; - +&P4CGI::bail("Invalid group(s).") if ($GROUP =~ /[<>"&:;'`]/);

my $CLIENT = &P4CGI::cgi()->param("CLIENT") ; $CLIENT=undef if defined $CLIENT and $CLIENT eq "" ; +&P4CGI::bail("Invalid client specified.") if ($CLIENT =~ /[<>"&:;'`]/);

### ### Sub getChanges diff -Nur p4db.orig/changeView.cgi p4db/changeView.cgi --- p4db.orig/changeView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeView.cgi Mon Apr 12 11:55:49 2004 @@ -17,7 +17,9 @@ # Get file spec argument my $change = P4CGI::cgi()->param("CH") ; &P4CGI::bail("No change number specified") unless defined $change ; +&P4CGI::bail("Invalid change number specified") unless ($change =~ /^\d+$/); $change =~ /^\d+$/ or &P4CGI::bail("\"$change\" is not a positive number"); + my @desc ; my $currlev = &P4CGI::CURRENT_CHANGE_LEVEL() ; if($change > $currlev or $change < 1) { diff -Nur p4db.orig/clientList.cgi p4db/clientList.cgi --- p4db.orig/clientList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/clientList.cgi Wed Apr 21 09:38:25 2004 @@ -43,6 +43,9 @@ }

my $user = P4CGI::cgi()->param("USER") ; +&P4CGI::bail("Invalid user specified.") + unless (!defined($user) || ($user =~ /^\w+$/)); + my $mode = P4CGI::cgi()->param("MODE") ; $mode = "Brief" unless (defined $mode) and ($mode eq "Complete") ; $mode = "Complete" if defined $user ; diff -Nur p4db.orig/clientView.cgi p4db/clientView.cgi --- p4db.orig/clientView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/clientView.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,8 @@ unless(defined $client) { &P4CGI::bail("No client specified!") ; } ; +&P4CGI::bail("Invalid client specified!") if ($client =~ /[<>"&:;'`]/); +

# Get list of users and full names my @users ; diff -Nur p4db.orig/depotStats.cgi p4db/depotStats.cgi --- p4db.orig/depotStats.cgi Mon Apr 12 11:28:37 2004 +++ p4db/depotStats.cgi Mon Apr 12 11:55:49 2004 @@ -26,6 +26,7 @@ # my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s\+?\s(?=\/\/)/,$FSPC) ; $FSPC = "<tt>".join("</tt> and <tt>",@FSPC)."</tt>" ; my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ; diff -Nur p4db.orig/depotTreeBrowser.cgi p4db/depotTreeBrowser.cgi --- p4db.orig/depotTreeBrowser.cgi Mon Apr 12 11:28:37 2004 +++ p4db/depotTreeBrowser.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,7 @@ ### # * Get path from argument my $fspc = P4CGI::cgi()->param("FSPC") ; +&P4CGI::bail("Invalid file spec.") if ($fspc =~ /[<>"&:;'`]/); $fspc =~ s/\.\.\.$// if defined $fspc ; # Find out if we have multiple depots my @depots ; diff -Nur p4db.orig/fileDiffView.cgi p4db/fileDiffView.cgi --- p4db.orig/fileDiffView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileDiffView.cgi Mon Apr 12 11:55:49 2004 @@ -17,32 +17,40 @@ #################################################################

# Get file spec argument -my @files = split /,/,P4CGI::cgi()->param("FSPC") ; +my $FSPC = P4CGI::cgi()->param("FSPC") ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); +my @files = split /,/,$FSPC; &P4CGI::bail("No file specified") unless @files > 0 ;

-my @revs = split / /,P4CGI::cgi()->param("REV") if defined P4CGI::cgi()->param("REV") ; +my $REV = P4CGI::cgi()->param("REV"); +my @revs = split / /,$REV if defined $REV; +&P4CGI::bail("Invalid file revisions.") unless ($REV =~ /^[0-9 ]*$/); $files[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs[0] = $2 ; } ; &P4CGI::bail("No revision specified") unless @revs > 0 ;

-my @modes ; -@modes = split / /,P4CGI::cgi()->param("ACT") if defined P4CGI::cgi()->param("ACT") ; +my $ACT = P4CGI::cgi()->param("ACT"); +&P4CGI::bail("Invalid mode(s).") if ($ACT =~ /[<>"&:;'`]/); +my @modes = split / /,$ACT if defined $ACT; &P4CGI::bail("No mode specified") unless @modes > 0 ;

-my @files2 ; -@files2 = - split /,/,P4CGI::cgi()->param("FSPC2") if defined P4CGI::cgi()->param("FSPC2") ; -my @revs2 ; -@revs2 = - split / /,P4CGI::cgi()->param("REV2") if defined P4CGI::cgi()->param("REV2") ; +my $FSPC2 = P4CGI::cgi()->param("FSPC2"); +&P4CGI::bail("Invalid file spec.") if ($FSPC2 =~ /[<>"&:;'`]/); +my @files2 = split /,/,$FSPC2 if defined $FSPC2; + +my $REV2 = P4CGI::cgi()->param("REV2"); +my @revs2 = split / /,$REV2 if defined $REV2; +&P4CGI::bail("Invalid revisions specified.") unless ($REV2 =~ /^[0-9 ]*$/); if(defined $files2[0]) { $files2[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs2[0] = $2 ; } ; } ;

my $change = P4CGI::cgi()->param("CH") ; +&P4CGI::bail("Invalid change specified.") unless ($change =~ /^[0-9]*$/); # Constants for the file diff display

# $NCONTEXT - number of lines context before and after a diff my $NCONTEXT = P4CGI::cgi()->param("CONTEXT") ; +&P4CGI::bail("Invalid number of context lines.") unless ($NCONTEXT =~ /^[0-9]*$/); $NCONTEXT = 10 unless defined $NCONTEXT ;

# $MAXCONTEXT - max number of lines context between diffs diff -Nur p4db.orig/fileDownLoad.cgi p4db/fileDownLoad.cgi --- p4db.orig/fileDownLoad.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileDownLoad.cgi Mon Apr 12 11:55:49 2004 @@ -17,12 +17,14 @@ # Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/);

my $filename = $file ; $filename =~ s/.*\/// ;

my $revision = P4CGI::cgi()->param("REV") ; &P4CGI::bail("No revision specified") unless defined $revision ; +&P4CGI::bail("Invalid revision specified") unless $revision =~ /^\d*$/;

local *P4 ;

diff -Nur p4db.orig/fileLogView.cgi p4db/fileLogView.cgi --- p4db.orig/fileLogView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileLogView.cgi Tue Apr 20 15:17:12 2004 @@ -34,14 +34,15 @@ # File argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file spec") unless defined $file ; +&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

 # Label x-reference argument

my $listLabel = P4CGI::cgi()->param("LISTLAB") ; -$listLabel = "No" unless defined $listLabel ; +$listLabel = "No" unless defined $listLabel and $listLabel eq "Yes";

 # Show branch info argument

my $showBranch = P4CGI::cgi()->param("SHOWBRANCH") ; -$showBranch="No" unless defined $showBranch ; +$showBranch="No" unless defined $showBranch and $showBranch eq "Yes";

 # Get file data

my @filelog ; diff -Nur p4db.orig/fileOpen.cgi p4db/fileOpen.cgi --- p4db.orig/fileOpen.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileOpen.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,7 @@ # File argument my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s\+?\s(?=\/\/)/,$FSPC) ; $FSPC = "<tt>".join("</tt> and <tt>",@FSPC)."</tt>" ; my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ; diff -Nur p4db.orig/fileSearch.cgi p4db/fileSearch.cgi --- p4db.orig/fileSearch.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileSearch.cgi Mon Apr 12 11:55:49 2004 @@ -17,11 +17,14 @@ # Get file spec argument my $filespec = P4CGI::cgi()->param("FSPC") ; $filespec = "" unless defined $filespec ; +&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/);

my $label = P4CGI::cgi()->param("LABEL") ; if(!defined $label) { $label = "" ; } +&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/); + my $filedesc ; my $showDiffSelection="Y" ; if($filespec eq "") { diff -Nur p4db.orig/fileViewer.cgi p4db/fileViewer.cgi --- p4db.orig/fileViewer.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileViewer.cgi Tue Apr 20 15:20:15 2004 @@ -31,6 +31,7 @@

my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

my $ext = $file ; $ext =~ s/^.\.// ; @@ -38,9 +39,11 @@ my $revision = P4CGI::cgi()->param("REV") ; # &P4CGI::bail("No revision specified") unless defined $revision ; $revision = "#$revision" if defined $revision ; -$revision="" unless defined $revision ; +$revision = "" unless defined $revision ; +&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d$/);

my $force = P4CGI::cgi()->param("FORCE") ; +$force = "Yes" if defined $force;

 # find out if p4br.perl is available, if true set smart

diff -Nur p4db.orig/filesChangedSince.cgi p4db/filesChangedSince.cgi --- p4db.orig/filesChangedSince.cgi Mon Apr 12 11:28:37 2004 +++ p4db/filesChangedSince.cgi Mon Apr 12 11:55:49 2004 @@ -24,6 +24,7 @@

my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s\+?\s(?=\/\/)/,$FSPC) ;

my $WEEKS = P4CGI::cgi()->param("WEEKS") ; diff -Nur p4db.orig/groupView.cgi p4db/groupView.cgi --- p4db.orig/groupView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/groupView.cgi Mon Apr 12 11:55:49 2004 @@ -22,6 +22,8 @@ &P4CGI::bail("No group specified!") ; } ;

+&P4CGI::bail("Invalid group.") if ($group =~ /[<>"&:;'`]/); + # Get real user names... my %userCvt ; { diff -Nur p4db.orig/htmlFileView.cgi p4db/htmlFileView.cgi --- p4db.orig/htmlFileView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/htmlFileView.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,7 @@ # Get type arg my $type = P4CGI::cgi()->param("TYPE") ; &P4CGI::bail("No file type specified") unless defined $type ; +&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/);

my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ;

@@ -28,10 +29,12 @@ # Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; + &P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/);

 my $revision = P4CGI::cgi&#40;&#41;-&gt;param&#40;&quot;REV&quot;&#41; ;
 $revision = &quot;#$revision&quot; if defined $revision ;
  • $revision="" unless defined $revision ;
  • $revision = "" unless defined $revision ;
  • &P4CGI::bail("Invalid file spec.") unless ($revision =~ /^#?\d*$/);

    my $filename=$file ; $filename =~ s/^.*\///; diff -Nur p4db.orig/javaDataView.cgi p4db/javaDataView.cgi --- p4db.orig/javaDataView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/javaDataView.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,8 @@ # * Get path from argument

my $cmd = P4CGI::cgi()->param("CMD") ; +&P4CGI::bail("Invalid command.") unless ($cmd =~ /^\w*$/); + my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ;

local *P4 ; diff -Nur p4db.orig/jobList.cgi p4db/jobList.cgi --- p4db.orig/jobList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/jobList.cgi Mon Apr 12 11:55:49 2004 @@ -263,6 +263,7 @@ else { # Do we have "JOBVIEW"? my $jobview = &P4CGI::cgi()->param("JOBVIEW") ; + $jobview = "Yes" if defined $jobview; my $jobviewDesc ; if(defined $jobview) { $jobviewDesc = "Where jobview is: <TT>$jobview</TT>" ; @@ -275,6 +276,7 @@ my @selectParams = grep { /^FLD/ ; } P4CGI::cgi()->param ; my %params ; foreach (@selectParams) { + &P4CGI::bail("Invalid field parameter.") if (/[<>"&:;'`]/); my $v = $_ ; s/^FLD// ; my @pars = &P4CGI::cgi()->param($v) ; @@ -282,7 +284,7 @@ } # Set match all/any my $MATCHTYPE = &P4CGI::cgi()->param("MATCHTYPE") ; - $MATCHTYPE="all" unless defined $MATCHTYPE ; + $MATCHTYPE="all" unless defined $MATCHTYPE and $MATCHTYPE eq "any"; my $matchtype = "|" ; my $matchtypeDesc = "or" ; if($MATCHTYPE eq "all") { diff -Nur p4db.orig/jobView.cgi p4db/jobView.cgi --- p4db.orig/jobView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/jobView.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,7 @@ # Get file spec argument my $job = P4CGI::cgi()->param("JOB") ; &P4CGI::bail("No job specified") unless defined $job ; +&P4CGI::bail("Invalid job.") if ($job =~ /[<>"&:;'`]/);

 # Create title

print "", &P4CGI::start_page("Job $job","") ; diff -Nur p4db.orig/labelDiffView.cgi p4db/labelDiffView.cgi --- p4db.orig/labelDiffView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/labelDiffView.cgi Mon Apr 12 11:55:49 2004 @@ -23,6 +23,9 @@ &P4CGI::error("No first label specified") unless defined $LABEL1 ; &P4CGI::error("No second label specified") unless defined $LABEL2 ;

+&P4CGI::bail("Invalid first label.") if ($LABEL1 =~ /[<>"&:;'`]/); +&P4CGI::bail("Invalid second label.") if ($LABEL2 =~ /[<>"&:;'`]/); + # defined if files that are the same in both labels # should be listed my $SHOWSAME = P4CGI::cgi()->param("SHOWSAME") ; diff -Nur p4db.orig/labelView.cgi p4db/labelView.cgi --- p4db.orig/labelView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/labelView.cgi Mon Apr 12 11:55:49 2004 @@ -16,6 +16,7 @@ # Get label my $label = P4CGI::cgi()->param("LABEL") ; &P4CGI::bail("No label specified") unless defined $label ; +&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/);

my $found ; # Get list of all labels and also check that supplied label exists diff -Nur p4db.orig/searchPattern.cgi p4db/searchPattern.cgi --- p4db.orig/searchPattern.cgi Mon Apr 12 11:28:37 2004 +++ p4db/searchPattern.cgi Mon Apr 12 11:55:49 2004 @@ -15,6 +15,7 @@

my $FSPC = &P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/);

my @legend ;

diff -Nur p4db.orig/specialFileView.cgi p4db/specialFileView.cgi --- p4db.orig/specialFileView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/specialFileView.cgi Mon Apr 12 11:55:49 2004 @@ -21,14 +21,17 @@ # Get type arg my $type = P4CGI::cgi()->param("TYPE") ; &P4CGI::bail("No file type specified") unless defined $type ; +&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/);

# Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/);

my $revision = P4CGI::cgi()->param("REV") ; $revision = "#$revision" if defined $revision ; $revision="" unless defined $revision ; +&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d*$/);

my ($url,$desc,$content,$about) = @{$viewConfig::TypeData{$type}} ; &P4CGI::bail("Undefined type code") unless defined $url ; diff -Nur p4db.orig/userList.cgi p4db/userList.cgi --- p4db.orig/userList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/userList.cgi Mon Apr 12 11:55:49 2004 @@ -16,6 +16,7 @@

my $GROUPSONLY = P4CGI::cgi()->param("GROUPSONLY") ; +$GROUPSONLY = "Y" if defined $GROUPSONLY;

sub weeksago($$$ ) { my ($y,$m,$d) = @_ ; diff -Nur p4db.orig/userView.cgi p4db/userView.cgi --- p4db.orig/userView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/userView.cgi Mon Apr 12 11:55:49 2004 @@ -19,6 +19,8 @@ unless(defined $user) { &P4CGI::bail("No user specified!") ; } ; +&P4CGI::bail("Invalid user.") unless ($user =~ /^\w+$/); +

# List all users my @userData;

ADDITIONAL INFORMATION

The information has been provided by <mailto:jammer@weak.org> Jon McClintock.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.