[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [SECURITY] [DSA 2179-1] dtc security update


There's few security issues that have been fixed in DTC, some of them
being quite serious (SQL injection without even needing to be
authenticated). In nearly 10 years of development, this is the first
serious security issue that we have, and it's located in some very old
code. It have been present in DTC for a very long time, so I believe all
versions of DTC are affected.

Below is the corresponding DSA (Debian Security Advisory). We strongly
recommend anyone using DTC to upgrade to the latest version in Lenny,
SID, or on GPLHost repositories.

Note that currently, the bw_per_month.php call from the bandwidth
monitor is broken by the security fix. If you wish, you can apply the
following patch to fix the regression:


Another update of DTC in GPLHost repository will be made to fix the
issue (probably version 0.32.11), but I do not plan to fix the Lenny
version for a so tiny issue (without much consequences) that is easily
fixable by hand.

Note that CentOS and FreeBSD versions haven't been fixed. If you wish to
manually apply fixes, we recommend you to apply the patch sets that you
will find in our Git repository, until the affected versions are
updated. Commits diifs are as follow:



-------- Original Message --------
Subject: [SECURITY] [DSA 2179-1] dtc security update
Resent-Date: Wed,  2 Mar 2011 20:57:35 +0000 (UTC)
Resent-From: debian-security-announce@xxxxxxxxxxxxxxxx
Date: Wed, 02 Mar 2011 21:57:25 +0100
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Reply-To: debian-security@xxxxxxxxxxxxxxxx
To: debian-security-announce@xxxxxxxxxxxxxxxx

Debian Security Advisory DSA-2179-1                   security@xxxxxxxxxx
http://www.debian.org/security/                            Florian Weimer
March 02, 2011                         http://www.debian.org/security/faq

Package        : dtc
Vulnerability  : SQL injection
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437
Debian Bug     : 614302

Ansgar Burchardt discovered several vulnerabilities in DTC, a web
control panel for admin and accounting hosting services.

    The bw_per_moth.php graph contains an SQL injection vulnerability.

    Insufficient checks in bw_per_month.php can lead to bandwidth
    usage information disclosure.

    After a registration, passwords are sent in cleartext
    email messages.

    Authenticated users could delete accounts using an obsolete
    interface which was incorrectly included in the package.

This update introduces a new configuration option which controls the
presence of cleartext passwords in email messages.  The default is not
to include cleartext passwords

For the oldstable distribution (lenny), this problem has been fixed in
version 0.29.17-1+lenny1.

The stable distribution (squeeze) and the the testing distribution
(wheezy) do not contain any dtc packages.

For the unstable distribution (sid), this problem has been fixed in
version 0.32.10-1.

We recommend that you upgrade your dtc packages.
Do not reply to this mail, subscribe to dtcdev@xxxxxxxxxx instead
To unsubscribe send a mail to dtcannounce-unsubscribe@xxxxxxxxxx