[geomoose-psc] PHP file system traversal vulnerability.

James Klassen klassen.js at gmail.com
Tue Apr 4 12:48:47 PDT 2017 

Right.

I will also hide the bad versions on the downloads (and redirect them to
current).

On Apr 4, 2017 14:46, "Dan Little" <theduckylittle at gmail.com> wrote:

> I suspect it will be but don't want to be offering fresh downloads with
> the bug.
>
> On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <klassen.js at gmail.com>
> wrote:
>
>> Yep, this deserves immediate action.   will build new releases of the
>> 2.7+ branches as soon as I can.
>>
>> Although people dropping in the updated download.php from master is
>> probably the qucker and easier patch.
>>
>>
>>
>> On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:
>>
>>> Hey Folks,
>>>
>>> Looking for some advice on how to handle a GeoMoose Security bug.  A
>>> user reported earlier today that the download.php script allowed for file
>>> system traversal by normalizing paths.  E.g:
>>>
>>>> http://demo.geomoose.org/master/php/download.php?id=foo/.&ex
>>>> t=/../../../../../../../etc/passwd
>>>
>>>
>>> The call above was actually returning the password file.   I have a new
>>> version of download.php that I've put into master, r2.7, r2.8, r2.9. It can
>>> be seen here:
>>>
>>> - https://github.com/geomoose/geomoose-services/blob/master/
>>> php/download.php
>>>
>>> The user's list should be notified immediately but I suspect it would be
>>> good for us to have instructions written and new packages available.
>>>
>>> Here's my draft for the user's list:
>>>
>>> (start)
>>>
>>> ALL USERS!!!
>>>
>>> A bug in GeoMoose was identified that affects many  versions of
>>> GeoMoose.  The earliest version of the bug we have been able to identify is
>>> GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.
>>> This bug allows a well crafted URL to access the contents of nearly any
>>> file on the file system.
>>>
>>> The fix for this is easy and works the same for all versions of
>>> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>>>
>>> - https://github.com/geomoose/geomoose-services/raw/master/p
>>> hp/download.php
>>>
>>> This version has been tested and does not exhibit the bug.
>>>
>>> *Please* update your GeoMoose installations as soon as possible.
>>>
>>> Thank You,
>>>
>>> The GeoMoose Team
>>>
>>> (end)
>>>
>>> Any feed back is welcome, please let me know! If I don't hear from
>>> anyone by tomorrow morning I'm going to drop the above message.
>>>
>>>
>>> _______________________________________________
>>> geomoose-psc mailing list
>>> geomoose-psc at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/dab63619/attachment-0001.html>

More information about the geomoose-psc mailing list