[geomoose-psc] PHP file system traversal vulnerability.

James Klassen klassen.js at gmail.com
Tue Apr 4 12:44:26 PDT 2017 

Yep, this deserves immediate action.   will build new releases of the 2.7+
branches as soon as I can.

Although people dropping in the updated download.php from master is
probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:

> Hey Folks,
>
> Looking for some advice on how to handle a GeoMoose Security bug.  A user
> reported earlier today that the download.php script allowed for file system
> traversal by normalizing paths.  E.g:
>
>> http://demo.geomoose.org/master/php/download.php?id=foo/.&
>> ext=/../../../../../../../etc/passwd
>
>
> The call above was actually returning the password file.   I have a new
> version of download.php that I've put into master, r2.7, r2.8, r2.9. It can
> be seen here:
>
> - https://github.com/geomoose/geomoose-services/blob/master/
> php/download.php
>
> The user's list should be notified immediately but I suspect it would be
> good for us to have instructions written and new packages available.
>
> Here's my draft for the user's list:
>
> (start)
>
> ALL USERS!!!
>
> A bug in GeoMoose was identified that affects many  versions of GeoMoose.
> The earliest version of the bug we have been able to identify is GeoMoose
> 2.7 but earlier versions of the 2.X series may also be affected.  This bug
> allows a well crafted URL to access the contents of nearly any file on the
> file system.
>
> The fix for this is easy and works the same for all versions of GeoMoose.
> Find your copy of "download.php" and replace it with this one:
>
> - https://github.com/geomoose/geomoose-services/raw/master/
> php/download.php
>
> This version has been tested and does not exhibit the bug.
>
> *Please* update your GeoMoose installations as soon as possible.
>
> Thank You,
>
> The GeoMoose Team
>
> (end)
>
> Any feed back is welcome, please let me know! If I don't hear from anyone
> by tomorrow morning I'm going to drop the above message.
>
>
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/e4d17ed6/attachment.html>

More information about the geomoose-psc mailing list