[geomoose-psc] PHP file system traversal vulnerability.

Dan Little theduckylittle at gmail.com
Tue Apr 4 12:23:11 PDT 2017


Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user
reported earlier today that the download.php script allowed for file system
traversal by normalizing paths.  E.g:

> http://demo.geomoose.org/master/php/download.php?id=
> foo/.&ext=/../../../../../../../etc/passwd


The call above was actually returning the password file.   I have a new
version of download.php that I've put into master, r2.7, r2.8, r2.9. It can
be seen here:

- https://github.com/geomoose/geomoose-services/blob/master/php/download.php

The user's list should be notified immediately but I suspect it would be
good for us to have instructions written and new packages available.

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.
The earliest version of the bug we have been able to identify is GeoMoose
2.7 but earlier versions of the 2.X series may also be affected.  This bug
allows a well crafted URL to access the contents of nearly any file on the
file system.

The fix for this is easy and works the same for all versions of GeoMoose.
Find your copy of "download.php" and replace it with this one:

- https://github.com/geomoose/geomoose-services/raw/master/php/download.php

This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone
by tomorrow morning I'm going to drop the above message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/0d58d0a5/attachment.html>


More information about the geomoose-psc mailing list