[geomoose-psc] PHP file system traversal vulnerability.

TC Haddad tchaddad at gmail.com
Tue Apr 4 13:42:38 PDT 2017


Hey Dan,

FWIW, the text of your proposed email looks good. I think you could replace
the three references to 'bug' with 'security issue' and that is more likely
to get people's attention / quick action.

I feel like when there are security releases in other projects, the
information on the users list is kept to a minimum - just the facts of the
release, relevant download links, and not a lot of info on the nature of
the exploit.

So given that you could even just end your first paragraph after "earlier
versions of the 2.X series may also be affected."... if you think that's
enough detail.

Tanya



On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <klassen.js at gmail.com> wrote:

> Right.
>
> I will also hide the bad versions on the downloads (and redirect them to
> current).
>
> On Apr 4, 2017 14:46, "Dan Little" <theduckylittle at gmail.com> wrote:
>
>> I suspect it will be but don't want to be offering fresh downloads with
>> the bug.
>>
>> On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <klassen.js at gmail.com>
>> wrote:
>>
>>> Yep, this deserves immediate action.   will build new releases of the
>>> 2.7+ branches as soon as I can.
>>>
>>> Although people dropping in the updated download.php from master is
>>> probably the qucker and easier patch.
>>>
>>>
>>>
>>> On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:
>>>
>>>> Hey Folks,
>>>>
>>>> Looking for some advice on how to handle a GeoMoose Security bug.  A
>>>> user reported earlier today that the download.php script allowed for file
>>>> system traversal by normalizing paths.  E.g:
>>>>
>>>>> http://demo.geomoose.org/master/php/download.php?id=foo/.&ex
>>>>> t=/../../../../../../../etc/passwd
>>>>
>>>>
>>>> The call above was actually returning the password file.   I have a new
>>>> version of download.php that I've put into master, r2.7, r2.8, r2.9. It can
>>>> be seen here:
>>>>
>>>> - https://github.com/geomoose/geomoose-services/blob/master/
>>>> php/download.php
>>>>
>>>> The user's list should be notified immediately but I suspect it would
>>>> be good for us to have instructions written and new packages available.
>>>>
>>>> Here's my draft for the user's list:
>>>>
>>>> (start)
>>>>
>>>> ALL USERS!!!
>>>>
>>>> A bug in GeoMoose was identified that affects many  versions of
>>>> GeoMoose.  The earliest version of the bug we have been able to identify is
>>>> GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.
>>>> This bug allows a well crafted URL to access the contents of nearly any
>>>> file on the file system.
>>>>
>>>> The fix for this is easy and works the same for all versions of
>>>> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>>>>
>>>> - https://github.com/geomoose/geomoose-services/raw/master/p
>>>> hp/download.php
>>>>
>>>> This version has been tested and does not exhibit the bug.
>>>>
>>>> *Please* update your GeoMoose installations as soon as possible.
>>>>
>>>> Thank You,
>>>>
>>>> The GeoMoose Team
>>>>
>>>> (end)
>>>>
>>>> Any feed back is welcome, please let me know! If I don't hear from
>>>> anyone by tomorrow morning I'm going to drop the above message.
>>>>
>>>>
>>>> _______________________________________________
>>>> geomoose-psc mailing list
>>>> geomoose-psc at lists.osgeo.org
>>>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>>>
>>>
>>
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/b3bf8030/attachment.html>


More information about the geomoose-psc mailing list