Upstream has released version 0.5.7 on October 28, fixing a security issue: http://pear.php.net/package/HTML_AJAX/download/ Thomas has requested a freeze push for Cauldron. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
This bug has been fixed and the upgraded pacakges are in mga4 upgrades testing: php-pear-HTML_AJAX-0.5.7-1.mga5.src.rpm php-pear-HTML_AJAX-0.5.7-1.mga5.noarch.rpm Assigning it to QA
Status: NEW => ASSIGNEDQA Contact: security => qa-bugs
Thanks Thomas! Actually assigning to QA. Advisory: ======================== Updated php-pear-HTML_AJAX package fixes security vulnerability: The HTML_AJAX pear module before version 0.5.7 is vulnerable to a bug that can allow for remote code execution through unspecified vectors. References: http://pear.php.net/package/HTML_AJAX/download/ ======================== Updated packages in core/updates_testing: ======================== php-pear-HTML_AJAX-0.5.7-1.mga4 from php-pear-HTML_AJAX-0.5.7-1.mga4.src.rpm
CC: (none) => thomasAssignee: thomas => qa-bugsQA Contact: qa-bugs => security
Testing MGA4-64 on HP Probook 6555b Installed without problems. Looked at http://bluga.net/projects/HTML_AJAX/examples/ ran the examples there without problems.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
I think you tested the bluga.net implementation rather than our own Herman. I'll remove your Ok but please replace it if I'm wrong. Downloaded some of the examples from there to /var/www/html/test/ and no joy with them. eg. http://localhost/test/proxyless_usage.php Looking in /var/log/httpd/error_log it shows they are missing server.php. Not entirely sure how to test this one yet. Any ideas Thomas?
Whiteboard: MGA4-64-OK => (none)
Testing complete mga4 32 Some info here.. http://blog.joshuaeichorn.com/slides/Introduction-To-HTML_AJAX/ Using server.php, example1.php and example2.php which reference date.php, so created a date.php as below, all saved in /var/www/html/test/ # cat date.php <?php echo date('l jS \of F Y h:i:s A'); ?> And the others from the webpage.. # cat server.php <?php require_once 'HTML/AJAX/Server.php'; $server = new HTML_AJAX_Server(); $server->handleRequest(); ?> # cat example1.php <html> <head> <title>Example 1 - HTML_AJAX.append()</title> <script type="text/javascript" src="server.php?client=all"></script> <script type="text/javascript"> function act() { HTML_AJAX.append('target','date.php'); } </script> </head> <body> <a href="javascript:act()">Append the current time as given by date.php</a> <div id="target">I'm the target</div> </body> </html> # cat example2.php <html> <head> <title>Example 2 - HTML_AJAX Basic Methods</title> <script type="text/javascript" src="server.php?client=all"></script> </head> <body> <a href="#" onclick="HTML_AJAX.append('target','date.php');">Append</a> <a href="#" onclick="HTML_AJAX.replace('target','date.php');">Replace</a> <a href="#" onclick="alert(HTML_AJAX.grab('date.php'));">Grab Sync</a> <a href="#" onclick="HTML_AJAX.grab('date.php',function(result) { alert(result); })">Grab Async</a> <div id="target">I'm the target</div> </body> </html> Then browse to http://localhost/test/example1.php and http://localhost/test/example2.php and click the links to show the date in various places.
Whiteboard: (none) => has_procedure mga4-32-ok
Many thanks to Claire for the detailed scripts etc above. Testing MGA4 x64 real hardware. Installed from normal repos php-pear-HTML_AJAX-0.5.6-7.mga4. Installed the 4 scripts in /var/www/html/test/ . Browser pointed to http://localhost/test/example1.php appended the day, date, time ad infinitum on each click of the link. http://localhost/test/example2.php Append: as example1. Replace: updated in situ the day, date, time on each click. Grab Sync: popped up a Javascript information dialogue with date & time. Grab Async: same behaviour. Updated from Testing to php-pear-HTML_AJAX-0.5.7-1.mga4. Re-running the tests gave the same results as before. I do not know whether this is what *should* happen, so leave the OK-ing to someone else. BTAIM The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop). Again - is this right?
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #6) > BTAIM The time shown was *GMT*, one hour behind my local time (shown > correctly on the desktop). Again - is this right? You need to set the date.timezone setting in php.ini. This used to not be necessary, but unfortunately PHP changed this.
David, do you have to be *so* quick? My Comment 6 "The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop)" is *wrong*; I take that back. The tests showed the *correct* local time; the *desktop* time was (is) wrong, 1 hr in advance. [This is a problem that has been bugging me for some time: the need to correct the desktop time by 1hr; might bug it if I can pin it down].
Adding 64bit OK from Lewis's testing Validating. I'll upload the advisory shortly. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0519.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/625505/