[geomoose-psc] PHP file system traversal vulnerability.

[Jeff McKenna]

MS4W has been updated (the setup.exe now points to 2.9.3, and the 
downloads page has been updated: http://ms4w.com/download.html)

-jeff



On 2017-04-04 4:23 PM, Dan Little wrote:
> Hey Folks,
>
> Looking for some advice on how to handle a GeoMoose Security bug.  A
> user reported earlier today that the download.php script allowed for
> file system traversal by normalizing paths.  E.g:
>
>     http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd
>     <http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd>
>
>
> The call above was actually returning the password file.   I have a new
> version of download.php that I've put into master, r2.7, r2.8, r2.9. It
> can be seen here:
>
> - https://github.com/geomoose/geomoose-services/blob/master/php/download.php
>
> The user's list should be notified immediately but I suspect it would be
> good for us to have instructions written and new packages available.
>
> Here's my draft for the user's list:
>
> (start)
>
> ALL USERS!!!
>
> A bug in GeoMoose was identified that affects many  versions of
> GeoMoose.  The earliest version of the bug we have been able to identify
> is GeoMoose 2.7 but earlier versions of the 2.X series may also be
> affected.  This bug allows a well crafted URL to access the contents of
> nearly any file on the file system.
>
> The fix for this is easy and works the same for all versions of
> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>
> - https://github.com/geomoose/geomoose-services/raw/master/php/download.php
>
> This version has been tested and does not exhibit the bug.
>
> *Please* update your GeoMoose installations as soon as possible.
>
> Thank You,
>
> The GeoMoose Team
>
> (end)
>
> Any feed back is welcome, please let me know! If I don't hear from
> anyone by tomorrow morning I'm going to drop the above message.
>
>
>