[geomoose-psc] PHP file system traversal vulnerability.

Dan Little theduckylittle at gmail.com
Tue Apr 4 12:46:31 PDT 2017


I suspect it will be but don't want to be offering fresh downloads with the
bug.

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <klassen.js at gmail.com> wrote:

> Yep, this deserves immediate action.   will build new releases of the 2.7+
> branches as soon as I can.
>
> Although people dropping in the updated download.php from master is
> probably the qucker and easier patch.
>
>
>
> On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:
>
>> Hey Folks,
>>
>> Looking for some advice on how to handle a GeoMoose Security bug.  A user
>> reported earlier today that the download.php script allowed for file system
>> traversal by normalizing paths.  E.g:
>>
>>> http://demo.geomoose.org/master/php/download.php?id=foo/.&ex
>>> t=/../../../../../../../etc/passwd
>>
>>
>> The call above was actually returning the password file.   I have a new
>> version of download.php that I've put into master, r2.7, r2.8, r2.9. It can
>> be seen here:
>>
>> - https://github.com/geomoose/geomoose-services/blob/master/
>> php/download.php
>>
>> The user's list should be notified immediately but I suspect it would be
>> good for us to have instructions written and new packages available.
>>
>> Here's my draft for the user's list:
>>
>> (start)
>>
>> ALL USERS!!!
>>
>> A bug in GeoMoose was identified that affects many  versions of
>> GeoMoose.  The earliest version of the bug we have been able to identify is
>> GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.
>> This bug allows a well crafted URL to access the contents of nearly any
>> file on the file system.
>>
>> The fix for this is easy and works the same for all versions of
>> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>>
>> - https://github.com/geomoose/geomoose-services/raw/master/p
>> hp/download.php
>>
>> This version has been tested and does not exhibit the bug.
>>
>> *Please* update your GeoMoose installations as soon as possible.
>>
>> Thank You,
>>
>> The GeoMoose Team
>>
>> (end)
>>
>> Any feed back is welcome, please let me know! If I don't hear from anyone
>> by tomorrow morning I'm going to drop the above message.
>>
>>
>> _______________________________________________
>> geomoose-psc mailing list
>> geomoose-psc at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/437cc8ef/attachment.html>


More information about the geomoose-psc mailing list