[sword-devel] Fwd: Bug#466449: diatheke: Diatheke allows arbitrary command execution using the range parameter

Daniel Glassey dglassey at gmail.com
Mon Feb 18 14:02:13 MST 2008

Is there anyone that understands diatheke that can verify and diagnose
this asap?


P.S. Since it is a security bug why was it made public before there
was a chance to fix it?

---------- Forwarded message ----------
From: Dan Dennison <dan at thedennisons.org>
Date: 18 Feb 2008 20:35
Subject: Bug#466449: diatheke: Diatheke allows arbitrary command
execution using the range parameter
To: Debian Bug Tracking System <submit at bugs.debian.org>

Package: diatheke
Severity: critical
Tags: security
Justification: root security hole

The Diatheke CGI allows arbitrary command execution in the context of
the webserver, e.g. www-data by simply abusing the range parameter.

For example, &range=`yes` will consume tons of resources on the affected
webserver. Escalation of privleges and command shells are left as an
exercise to the reader.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh

Versions of packages diatheke depends on:
ii  libc6                 2.7-8              GNU C Library: Shared libraries
ii  libcomerr2            1.40.6-1           common error description library
ii  libgcc1               1:4.3-20080202-1   GCC support library
ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.7-5            OpenLDAP libraries
ii  libstdc++6            4.3-20080202-1     The GNU Standard C++ Library v3
ii  libsword6             1.5.9-7.1          API/library for bible software
ii  zlib1g                1:  compression library - runtime

Versions of packages diatheke recommends:
ii  apache2                       2.2.8-1    Next generation, scalable, extenda
ii  apache2-mpm-prefork [httpd]   2.2.8-1    Traditional model for Apache HTTPD

A: No.
Q: Should I include quotations after my reply?
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?

More information about the sword-devel mailing list