[geomoose-psc] PHP file system traversal vulnerability.

Dan Little theduckylittle at gmail.com
Tue Apr 4 15:05:11 PDT 2017 

I just heard back from Jeff, he's going to have a new MS4W package in the
morning.  Barring objection, I'd like to save the larger public
announcement until then as we know all the packages are then up to date.

On Tue, Apr 4, 2017 at 3:51 PM, James Klassen <klassen.js at gmail.com> wrote:

> Good points.
>
> Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.
>
> On Apr 4, 2017 15:42, "TC Haddad" <tchaddad at gmail.com> wrote:
>
>>
>> Hey Dan,
>>
>> FWIW, the text of your proposed email looks good. I think you could
>> replace the three references to 'bug' with 'security issue' and that is
>> more likely to get people's attention / quick action.
>>
>> I feel like when there are security releases in other projects, the
>> information on the users list is kept to a minimum - just the facts of the
>> release, relevant download links, and not a lot of info on the nature of
>> the exploit.
>>
>> So given that you could even just end your first paragraph after "earlier
>> versions of the 2.X series may also be affected."... if you think that's
>> enough detail.
>>
>> Tanya
>>
>>
>>
>> On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <klassen.js at gmail.com>
>> wrote:
>>
>>> Right.
>>>
>>> I will also hide the bad versions on the downloads (and redirect them to
>>> current).
>>>
>>> On Apr 4, 2017 14:46, "Dan Little" <theduckylittle at gmail.com> wrote:
>>>
>>>> I suspect it will be but don't want to be offering fresh downloads with
>>>> the bug.
>>>>
>>>> On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <klassen.js at gmail.com>
>>>> wrote:
>>>>
>>>>> Yep, this deserves immediate action.   will build new releases of the
>>>>> 2.7+ branches as soon as I can.
>>>>>
>>>>> Although people dropping in the updated download.php from master is
>>>>> probably the qucker and easier patch.
>>>>>
>>>>>
>>>>>
>>>>> On Apr 4, 2017 14:23, "Dan Little" <theduckylittle at gmail.com> wrote:
>>>>>
>>>>>> Hey Folks,
>>>>>>
>>>>>> Looking for some advice on how to handle a GeoMoose Security bug.  A
>>>>>> user reported earlier today that the download.php script allowed for file
>>>>>> system traversal by normalizing paths.  E.g:
>>>>>>
>>>>>>> http://demo.geomoose.org/master/php/download.php?id=foo/.&ex
>>>>>>> t=/../../../../../../../etc/passwd
>>>>>>
>>>>>>
>>>>>> The call above was actually returning the password file.   I have a
>>>>>> new version of download.php that I've put into master, r2.7, r2.8, r2.9. It
>>>>>> can be seen here:
>>>>>>
>>>>>> - https://github.com/geomoose/geomoose-services/blob/master/
>>>>>> php/download.php
>>>>>>
>>>>>> The user's list should be notified immediately but I suspect it would
>>>>>> be good for us to have instructions written and new packages available.
>>>>>>
>>>>>> Here's my draft for the user's list:
>>>>>>
>>>>>> (start)
>>>>>>
>>>>>> ALL USERS!!!
>>>>>>
>>>>>> A bug in GeoMoose was identified that affects many  versions of
>>>>>> GeoMoose.  The earliest version of the bug we have been able to identify is
>>>>>> GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.
>>>>>> This bug allows a well crafted URL to access the contents of nearly any
>>>>>> file on the file system.
>>>>>>
>>>>>> The fix for this is easy and works the same for all versions of
>>>>>> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>>>>>>
>>>>>> - https://github.com/geomoose/geomoose-services/raw/master/p
>>>>>> hp/download.php
>>>>>>
>>>>>> This version has been tested and does not exhibit the bug.
>>>>>>
>>>>>> *Please* update your GeoMoose installations as soon as possible.
>>>>>>
>>>>>> Thank You,
>>>>>>
>>>>>> The GeoMoose Team
>>>>>>
>>>>>> (end)
>>>>>>
>>>>>> Any feed back is welcome, please let me know! If I don't hear from
>>>>>> anyone by tomorrow morning I'm going to drop the above message.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> geomoose-psc mailing list
>>>>>> geomoose-psc at lists.osgeo.org
>>>>>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> geomoose-psc mailing list
>>> geomoose-psc at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/4462c8ae/attachment-0001.html>

More information about the geomoose-psc mailing list