<div dir="auto"><div dir="auto">Yep, this deserves immediate action. will build new releases of the 2.7+ branches as soon as I can.</div><div dir="auto"><br></div><div dir="auto">Although people dropping in the updated download.php from master is probably the qucker and easier patch.</div><div dir="auto"><br></div><div dir="auto"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Apr 4, 2017 14:23, "Dan Little" <<a href="mailto:theduckylittle@gmail.com">theduckylittle@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey Folks,<div><br></div><div>Looking for some advice on how to handle a GeoMoose Security bug. A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths. E.g: </div><blockquote class="gmail_quote" style="font-size:12.8px;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd" target="_blank">http://demo.geomoose.org/maste<wbr>r/php/download.php?id=foo/.&<wbr>ext=/../../../../../../../etc/<wbr>passwd</a></blockquote><div><br></div><div>The call above was actually returning the password file. I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:</div><div><br></div><div>- <a href="https://github.com/geomoose/geomoose-services/blob/master/php/download.php" target="_blank">https://github.com/geomoose/<wbr>geomoose-services/blob/master/<wbr>php/download.php</a></div><div><br></div><div>The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available. </div><div><br></div><div>Here's my draft for the user's list:</div><div><br></div><div>(start)</div><div><br></div><div>ALL USERS!!!</div><div><br></div><div>A bug in GeoMoose was identified that affects many versions of GeoMoose. The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected. This bug allows a well crafted URL to access the contents of nearly any file on the file system. </div><div><br></div><div>The fix for this is easy and works the same for all versions of GeoMoose. Find your copy of "download.php" and replace it with this one:</div><div><br></div><div>- <a href="https://github.com/geomoose/geomoose-services/raw/master/php/download.php" target="_blank">https://github.com/geomoose/<wbr>geomoose-services/raw/master/<wbr>php/download.php</a></div><div><br></div><div>This version has been tested and does not exhibit the bug.</div><div><br></div><div>*Please* update your GeoMoose installations as soon as possible.</div><div><br></div><div>Thank You,</div><div><br></div><div>The GeoMoose Team</div><div><br></div><div>(end)</div><div><br></div><div>Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.</div><div><br></div></div>
<br>______________________________<wbr>_________________<br>
geomoose-psc mailing list<br>
<a href="mailto:geomoose-psc@lists.osgeo.org">geomoose-psc@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geomoose-psc" rel="noreferrer" target="_blank">https://lists.osgeo.org/<wbr>mailman/listinfo/geomoose-psc</a><br></blockquote></div></div>