Security advisory & SabreDAV 1.6.9, 1.7.7 and 1.8.5 released (CVE-2013-1939)

Showing 1-1 of 1 messages
Security advisory & SabreDAV 1.6.9, 1.7.7 and 1.8.5 released (CVE-2013-1939) Evert Pot 4/11/13 6:05 AM
Hi everyone,

I just released version 1.6.9, 1.7.7 and 1.8.5.

These releases contain a security fix for Windows users. If you are running a SabreDAV version 1.6.7, 1.7.5 or 1.8.3 or older on a Windows machine, you're strongly encouraged to upgrade.

To do so, grab the latest zip from:
http://code.google.com/p/sabredav/downloads/list

Or run:
composer update sabre/dav

The problem was in serving of icons and images by the 'HTML\Browser' plugin. Because windows uses backslash as a path separator, the base path was not correctly checked, making it possible to read any accessible file from the filesystem.

As a workaround, you setup the plugin as such:

// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);

// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);

To disable this feature completely.

CVE ID:
  CVE-2013-1939

Thanks to Lukas Reschke for reporting this issue.

Evert