Security advisory & SabreDAV 1.6.9, 1.7.7 and 1.8.5 released (CVE-2013-1939)
947 views
Skip to first unread message
Evert Pot
Apr 11, 2013, 9:05:31 AM4/11/13
to sabredav...@googlegroups.com
Hi everyone,
I just released version 1.6.9, 1.7.7 and 1.8.5.
These releases contain a security fix for Windows users. If you are running a SabreDAV version 1.6.7, 1.7.5 or 1.8.3 or older on a Windows machine, you're strongly encouraged to upgrade.
To do so, grab the latest zip from:
http://code.google.com/p/sabredav/downloads/list
Or run:
composer update sabre/dav
The problem was in serving of icons and images by the 'HTML\Browser' plugin. Because windows uses backslash as a path separator, the base path was not correctly checked, making it possible to read any accessible file from the filesystem.
As a workaround, you setup the plugin as such:
// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);
// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);
To disable this feature completely.
CVE ID:
CVE-2013-1939
Thanks to Lukas Reschke for reporting this issue.
Evert
I just released version 1.6.9, 1.7.7 and 1.8.5.
These releases contain a security fix for Windows users. If you are running a SabreDAV version 1.6.7, 1.7.5 or 1.8.3 or older on a Windows machine, you're strongly encouraged to upgrade.
To do so, grab the latest zip from:
http://code.google.com/p/sabredav/downloads/list
Or run:
composer update sabre/dav
The problem was in serving of icons and images by the 'HTML\Browser' plugin. Because windows uses backslash as a path separator, the base path was not correctly checked, making it possible to read any accessible file from the filesystem.
As a workaround, you setup the plugin as such:
// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);
// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);
To disable this feature completely.
CVE ID:
CVE-2013-1939
Thanks to Lukas Reschke for reporting this issue.
Evert
Reply all
Reply to author
Forward
0 new messages