HtmlTidy html-tidy-logic.php security patch

[Jamie Edwards]

We have patched a file that we distribute with SupportSuite, eSupport and LiveResponse to fix a reported security flaw (as well as another one which we have discovered in the same file).

The flaw can only be triggered when register_globals (in the PHP configuration) is turned on. register_globals is turned off by default, and to turn the setting on would go against PHP 4+ installation guidelines and defaults.

Please download the attached file and replace your existing one with it.

In folder:

Code:

\includes\htmlArea\plugins\HtmlTidy\

[John Haugeland]

This patch has been pushed upstream to the HTML Tidy maintainers.

[John Haugeland]

I was incorrect to attribute this source file to HTML Tidy; this source file is in fact our own code. Whereas the defect was correctly identified and repaired, the origin of the source in question was not.

This was a Kayako defect, not a Tidy defect.

[GoneShootin]

Is there an email security bulletin service that we can subscribe to for this kind of notification? Thanks for the update.

[craigbrass]

You can subscribe to the news and announcements board on this forum. Go to http://forums.kayako.com/subscriptio...bscription&f=3 to do so.

[GoneShootin]

Quote:

Originally Posted by craigbrass

You can subscribe to the news and announcements board on this forum. Go to http://forums.kayako.com/subscriptio...bscription&f=3 to do so.

Nice one. Cheers.

[John Haugeland]

Actually, I'm now getting mixed responses from parties which should all be giving the same answer about the origin of the defect. At this time I withdraw any claim to knowledge of the origin of the source containing the defect, pending further investigation.

The defect is fixed in our copy of the source; however, it remains unclear at this time whether other parties use this source, and whether or not they are affected.

I will keep this thread up to date as I get a clearer picture of what's going on. Someone is confused (I certainly am, but I mean among the people I'm discussing this with), but I don't know who it is yet.

Regardless, this defect is closed at least in our copy of this source.

[John Haugeland]

I understand the problem now. There is a third party wrapper for HTML Tidy which, confusingly, uses the name HTML Tidy. The reason I believed that we acquired this source from HTML Tidy is that we did; I just was unaware of that there were two products going under this name.

The C library and the PHP bindings - that is, the major product called HTML Tidy - is not subject to this defect.

The third party PHP wrapper, which is a plugin module for htmlArea, is the vulnerable package. Kayako is escalating this issue to the other HTML Tidy group; however, as that plugin is considered unsupported, it remains unclear the expected response.

This defect is resolved in all Kayako products with the patch provided in this thread, and that patch will be reflected in the upcoming 3.30.03 stable, expected promptly (with other bugfixes too).




Kayako would like to thank

• Arnaud DeSitter from the primary HTML Tidy group,
• Nuno Lopes from the PHP group, and
• Ben Greenbaum, Keith Rogers and Rob Keith from Symantec / SecurityFocus

for their immediate, thoughtful, thorough and significant responses to this matter.