[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [SECURITY] [DSA 2179-1] dtc security update

Hi,

There's few security issues that have been fixed in DTC, some of them
being quite serious (SQL injection without even needing to be
authenticated). In nearly 10 years of development, this is the first
serious security issue that we have, and it's located in some very old
code. It have been present in DTC for a very long time, so I believe all
versions of DTC are affected.

Below is the corresponding DSA (Debian Security Advisory). We strongly
recommend anyone using DTC to upgrade to the latest version in Lenny,
SID, or on GPLHost repositories.

Note that currently, the bw_per_month.php call from the bandwidth
monitor is broken by the security fix. If you wish, you can apply the
following patch to fix the regression:

http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=d4540d3b9bbc826f3758452a6569f9936b7b6cfb

Another update of DTC in GPLHost repository will be made to fix the
issue (probably version 0.32.11), but I do not plan to fix the Lenny
version for a so tiny issue (without much consequences) that is easily
fixable by hand.

Note that CentOS and FreeBSD versions haven't been fixed. If you wish to
manually apply fixes, we recommend you to apply the patch sets that you
will find in our Git repository, until the affected versions are
updated. Commits diifs are as follow:

http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=e94e8b9cc354bfcaeb284d5331b815256bb46162
http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=adffff7efb3687ff465ee0552a944dd3109f3cb0
http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=c97ab4ae43945de36534c40004d713b3b10113db

Thomas

-------- Original Message --------
Subject: [SECURITY] [DSA 2179-1] dtc security update
Resent-Date: Wed,  2 Mar 2011 20:57:35 +0000 (UTC)
Resent-From: debian-security-announce@xxxxxxxxxxxxxxxx
Date: Wed, 02 Mar 2011 21:57:25 +0100
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Reply-To: debian-security@xxxxxxxxxxxxxxxx
To: debian-security-announce@xxxxxxxxxxxxxxxx

-------------------------------------------------------------------------
Debian Security Advisory DSA-2179-1                   security@xxxxxxxxxx
http://www.debian.org/security/                            Florian Weimer
March 02, 2011                         http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : dtc
Vulnerability  : SQL injection
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437
Debian Bug     : 614302

Ansgar Burchardt discovered several vulnerabilities in DTC, a web
control panel for admin and accounting hosting services.

CVE-2011-0434
    The bw_per_moth.php graph contains an SQL injection vulnerability.

CVE-2011-0435
    Insufficient checks in bw_per_month.php can lead to bandwidth
    usage information disclosure.

CVE-2011-0436
    After a registration, passwords are sent in cleartext
    email messages.

CVE-2011-0437
    Authenticated users could delete accounts using an obsolete
    interface which was incorrectly included in the package.

This update introduces a new configuration option which controls the
presence of cleartext passwords in email messages.  The default is not
to include cleartext passwords

For the oldstable distribution (lenny), this problem has been fixed in
version 0.29.17-1+lenny1.

The stable distribution (squeeze) and the the testing distribution
(wheezy) do not contain any dtc packages.

For the unstable distribution (sid), this problem has been fixed in
version 0.32.10-1.

We recommend that you upgrade your dtc packages.
--
Do not reply to this mail, subscribe to dtcdev@xxxxxxxxxx instead
To unsubscribe send a mail to dtcannounce-unsubscribe@xxxxxxxxxx