[geomoose-psc] PHP file system traversal vulnerability.
Jim Klassen
klassen.js at gmail.com
Tue Apr 4 15:43:56 PDT 2017
I'd vote announce. The announcement has the fix to existing users
attached (update download.php).
On 04/04/2017 05:05 PM, Dan Little wrote:
> I just heard back from Jeff, he's going to have a new MS4W package in
> the morning. Barring objection, I'd like to save the larger public
> announcement until then as we know all the packages are then up to date.
>
> On Tue, Apr 4, 2017 at 3:51 PM, James Klassen <klassen.js at gmail.com
> <mailto:klassen.js at gmail.com>> wrote:
>
> Good points.
>
> Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.
>
> On Apr 4, 2017 15:42, "TC Haddad" <tchaddad at gmail.com
> <mailto:tchaddad at gmail.com>> wrote:
>
>
> Hey Dan,
>
> FWIW, the text of your proposed email looks good. I think you
> could replace the three references to 'bug' with 'security
> issue' and that is more likely to get people's attention /
> quick action.
>
> I feel like when there are security releases in other
> projects, the information on the users list is kept to a
> minimum - just the facts of the release, relevant download
> links, and not a lot of info on the nature of the exploit.
>
> So given that you could even just end your first paragraph
> after "earlier versions of the 2.X series may also be
> affected."... if you think that's enough detail.
>
> Tanya
>
>
>
> On Tue, Apr 4, 2017 at 12:48 PM, James Klassen
> <klassen.js at gmail.com <mailto:klassen.js at gmail.com>> wrote:
>
> Right.
>
> I will also hide the bad versions on the downloads (and
> redirect them to current).
>
> On Apr 4, 2017 14:46, "Dan Little"
> <theduckylittle at gmail.com
> <mailto:theduckylittle at gmail.com>> wrote:
>
> I suspect it will be but don't want to be offering
> fresh downloads with the bug.
>
> On Tue, Apr 4, 2017 at 2:44 PM, James Klassen
> <klassen.js at gmail.com <mailto:klassen.js at gmail.com>>
> wrote:
>
> Yep, this deserves immediate action. will build
> new releases of the 2.7+ branches as soon as I can.
>
> Although people dropping in the updated
> download.php from master is probably the qucker
> and easier patch.
>
>
>
> On Apr 4, 2017 14:23, "Dan Little"
> <theduckylittle at gmail.com
> <mailto:theduckylittle at gmail.com>> wrote:
>
> Hey Folks,
>
> Looking for some advice on how to handle a
> GeoMoose Security bug. A user reported
> earlier today that the download.php script
> allowed for file system traversal by
> normalizing paths. E.g:
>
> http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd
> <http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd>
>
>
> The call above was actually returning the
> password file. I have a new version of
> download.php that I've put into master, r2.7,
> r2.8, r2.9. It can be seen here:
>
> - https://github.com/geomoose/geomoose-services/blob/master/php/download.php
> <https://github.com/geomoose/geomoose-services/blob/master/php/download.php>
>
> The user's list should be notified immediately
> but I suspect it would be good for us to have
> instructions written and new packages available.
>
> Here's my draft for the user's list:
>
> (start)
>
> ALL USERS!!!
>
> A bug in GeoMoose was identified that affects
> many versions of GeoMoose. The earliest
> version of the bug we have been able to
> identify is GeoMoose 2.7 but earlier versions
> of the 2.X series may also be affected. This
> bug allows a well crafted URL to access the
> contents of nearly any file on the file system.
>
> The fix for this is easy and works the same
> for all versions of GeoMoose. Find your copy
> of "download.php" and replace it with this one:
>
> - https://github.com/geomoose/geomoose-services/raw/master/php/download.php
> <https://github.com/geomoose/geomoose-services/raw/master/php/download.php>
>
> This version has been tested and does not
> exhibit the bug.
>
> *Please* update your GeoMoose installations as
> soon as possible.
>
> Thank You,
>
> The GeoMoose Team
>
> (end)
>
> Any feed back is welcome, please let me know!
> If I don't hear from anyone by tomorrow
> morning I'm going to drop the above message.
>
>
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> <mailto:geomoose-psc at lists.osgeo.org>
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
> <https://lists.osgeo.org/mailman/listinfo/geomoose-psc>
>
>
>
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> <mailto:geomoose-psc at lists.osgeo.org>
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
> <https://lists.osgeo.org/mailman/listinfo/geomoose-psc>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20170404/2febe60c/attachment-0001.html>
More information about the geomoose-psc
mailing list