Bug 14735 - php-pear-HTML_AJAX new security issue fixed upstream in 0.5.7
Summary: php-pear-HTML_AJAX new security issue fixed upstream in 0.5.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/625505/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-05 18:19 CET by David Walser
Modified: 2014-12-10 19:06 CET (History)
4 users (show)

See Also:
Source RPM: php-pear-HTML_AJAX-0.5.6-7.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-05 18:19:53 CET
Upstream has released version 0.5.7 on October 28, fixing a security issue:
http://pear.php.net/package/HTML_AJAX/download/

Thomas has requested a freeze push for Cauldron.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2014-12-05 18:54:40 CET
This bug has been fixed and the upgraded pacakges are in mga4 upgrades testing:
php-pear-HTML_AJAX-0.5.7-1.mga5.src.rpm
php-pear-HTML_AJAX-0.5.7-1.mga5.noarch.rpm

Assigning it to QA

Status: NEW => ASSIGNED
QA Contact: security => qa-bugs

Comment 2 David Walser 2014-12-05 18:58:53 CET
Thanks Thomas!

Actually assigning to QA.

Advisory:
========================

Updated php-pear-HTML_AJAX package fixes security vulnerability:

The HTML_AJAX pear module before version 0.5.7 is vulnerable to a bug that
can allow for remote code execution through unspecified vectors.

References:
http://pear.php.net/package/HTML_AJAX/download/
========================

Updated packages in core/updates_testing:
========================
php-pear-HTML_AJAX-0.5.7-1.mga4

from php-pear-HTML_AJAX-0.5.7-1.mga4.src.rpm

CC: (none) => thomas
Assignee: thomas => qa-bugs
QA Contact: qa-bugs => security

Comment 3 Herman Viaene 2014-12-06 11:39:32 CET
Testing MGA4-64 on HP Probook 6555b
Installed without problems.
Looked at http://bluga.net/projects/HTML_AJAX/examples/
ran the examples there without problems.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 4 claire robinson 2014-12-08 18:10:53 CET
I think you tested the bluga.net implementation rather than our own Herman. I'll remove your Ok but please replace it if I'm wrong.

Downloaded some of the examples from there to /var/www/html/test/ and no joy with them. eg. http://localhost/test/proxyless_usage.php

Looking in /var/log/httpd/error_log it shows they are missing server.php. Not entirely sure how to test this one yet. Any ideas Thomas?

Whiteboard: MGA4-64-OK => (none)

Comment 5 claire robinson 2014-12-08 18:26:41 CET
Testing complete mga4 32


Some info here..
http://blog.joshuaeichorn.com/slides/Introduction-To-HTML_AJAX/

Using server.php, example1.php and example2.php which reference date.php, so created a date.php as below, all saved in /var/www/html/test/

# cat date.php
<?php
 echo date('l jS \of F Y h:i:s A');
?>

And the others from the webpage..

# cat server.php
<?php
require_once 'HTML/AJAX/Server.php';

$server = new HTML_AJAX_Server();

$server->handleRequest();
?>


# cat example1.php 
<html>
<head>
<title>Example 1 - HTML_AJAX.append()</title>
<script type="text/javascript" src="server.php?client=all"></script>

<script type="text/javascript">
function act() {
	HTML_AJAX.append('target','date.php');
}
</script>
</head>
<body>

<a href="javascript:act()">Append the current time as given by date.php</a>

<div id="target">I'm the target</div>
</body>
</html>


# cat example2.php 
<html>
<head>
<title>Example 2 - HTML_AJAX Basic Methods</title>
<script type="text/javascript" src="server.php?client=all"></script>

</head>
<body>
<a href="#" onclick="HTML_AJAX.append('target','date.php');">Append</a>
<a href="#" onclick="HTML_AJAX.replace('target','date.php');">Replace</a>

<a href="#" onclick="alert(HTML_AJAX.grab('date.php'));">Grab Sync</a>
<a href="#" onclick="HTML_AJAX.grab('date.php',function(result) { alert(result); })">Grab Async</a>

<div id="target">I'm the target</div>
</body>
</html>

Then browse to http://localhost/test/example1.php and http://localhost/test/example2.php and click the links to show the date in various places.

Whiteboard: (none) => has_procedure mga4-32-ok

Comment 6 Lewis Smith 2014-12-08 21:05:33 CET
Many thanks to Claire for the detailed scripts etc above.

Testing MGA4 x64 real hardware.
Installed from normal repos php-pear-HTML_AJAX-0.5.6-7.mga4. Installed the 4 scripts in /var/www/html/test/ . Browser pointed to
 http://localhost/test/example1.php
appended the day, date, time ad infinitum on each click of the link.
 http://localhost/test/example2.php
Append: as example1.
Replace: updated in situ the day, date, time on each click.
Grab Sync: popped up a Javascript information dialogue with date & time.
Grab Async: same behaviour.

Updated from Testing to php-pear-HTML_AJAX-0.5.7-1.mga4.
Re-running the tests gave the same results as before. I do not know whether this is what *should* happen, so leave the OK-ing to someone else.

BTAIM The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop). Again - is this right?

CC: (none) => lewyssmith

Comment 7 David Walser 2014-12-08 21:08:38 CET
(In reply to Lewis Smith from comment #6)
> BTAIM The time shown was *GMT*, one hour behind my local time (shown
> correctly on the desktop). Again - is this right?

You need to set the date.timezone setting in php.ini.  This used to not be necessary, but unfortunately PHP changed this.
Comment 8 Lewis Smith 2014-12-08 21:32:12 CET
David, do you have to be *so* quick?
My Comment 6 "The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop)" is *wrong*; I take that back. The tests showed the *correct* local time; the *desktop* time was (is) wrong, 1 hr in advance.
[This is a problem that has been bugging me for some time: the need to correct the desktop time by 1hr; might bug it if I can pin it down].
Comment 9 claire robinson 2014-12-09 10:32:33 CET
Adding 64bit OK from Lewis's testing

Validating. I'll upload the advisory shortly.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2014-12-09 10:50:27 CET
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 11 Mageia Robot 2014-12-09 21:13:44 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0519.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-10 19:06:33 CET

URL: (none) => http://lwn.net/Vulnerabilities/625505/


Note You need to log in before you can comment on or make changes to this bug.