[geomoose-psc] PHP file system traversal vulnerability.

Tue Apr 4 13:51:46 PDT 2017

Good points.

Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.

On Apr 4, 2017 15:42, "TC Haddad" <tchaddad at gmail.com> wrote:

>
> Hey Dan,
>
> FWIW, the text of your proposed email looks good. I think you could
> replace the three references to 'bug' with 'security issue' and that is
> more likely to get people's attention / quick action.
>
> I feel like when there are security releases in other projects, the
> information on the users list is kept to a minimum - just the facts of the
> release, relevant download links, and not a lot of info on the nature of
> the exploit.
>
> So given that you could even just end your first paragraph after "earlier
> versions of the 2.X series may also be affected."... if you think that's
> enough detail.
>
> Tanya
>
>
>
> On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <klassen.js at gmail.com>
> wrote:
>
>> Right.
>>
>> I will also hide the bad versions on the downloads (and redirect them to
>> current).
>>
>> On Apr 4, 2017 14:46, "Dan Little" <theduckylittle at gmail.com> wrote:
>>
>>> I suspect it will be but don't want to be offering fresh downloads with
>>> the bug.
>>>
>>> On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <klassen.js at gmail.com>
>>> wrote:
>>>
>>>> Yep, this deserves immediate action.   will build new releases of the
>>>> 2.7+ branches as soon as I can.
>>>>
>>>> Although people dropping in the updated download.php from master is
>>>> probably the qucker and easier patch.
>>>>
>>>>
>>>>
>>>> On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:
>>>>
>>>>> Hey Folks,
>>>>>
>>>>> Looking for some advice on how to handle a GeoMoose Security bug.  A
>>>>> user reported earlier today that the download.php script allowed for file
>>>>> system traversal by normalizing paths.  E.g:
>>>>>
>>>>>> http://demo.geomoose.org/master/php/download.php?id=foo/.&ex
>>>>>> t=/../../../../../../../etc/passwd
>>>>>
>>>>>
>>>>> The call above was actually returning the password file.   I have a
>>>>> new version of download.php that I've put into master, r2.7, r2.8, r2.9. It
>>>>> can be seen here:
>>>>>
>>>>> - https://github.com/geomoose/geomoose-services/blob/master/
>>>>> php/download.php
>>>>>
>>>>> The user's list should be notified immediately but I suspect it would
>>>>> be good for us to have instructions written and new packages available.
>>>>>
>>>>> Here's my draft for the user's list:
>>>>>
>>>>> (start)
>>>>>
>>>>> ALL USERS!!!
>>>>>
>>>>> A bug in GeoMoose was identified that affects many  versions of
>>>>> GeoMoose.  The earliest version of the bug we have been able to identify is
>>>>> GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.
>>>>> This bug allows a well crafted URL to access the contents of nearly any
>>>>> file on the file system.
>>>>>
>>>>> The fix for this is easy and works the same for all versions of
>>>>> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>>>>>
>>>>> - https://github.com/geomoose/geomoose-services/raw/master/p
>>>>> hp/download.php
>>>>>
>>>>> This version has been tested and does not exhibit the bug.
>>>>>
>>>>> *Please* update your GeoMoose installations as soon as possible.
>>>>>
>>>>> Thank You,
>>>>>
>>>>> The GeoMoose Team
>>>>>
>>>>> (end)
>>>>>
>>>>> Any feed back is welcome, please let me know! If I don't hear from
>>>>> anyone by tomorrow morning I'm going to drop the above message.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> geomoose-psc mailing list
>>>>> geomoose-psc at lists.osgeo.org
>>>>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>>>>
>>>>
>>>
>> _______________________________________________
>> geomoose-psc mailing list
>> geomoose-psc at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/8602578f/attachment.html>