PHP file system traversal vulnerability.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PHP file system traversal vulnerability.

Dan Little-2
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

James Klassen-2
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc

_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

Dan Little-2
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

James Klassen-2
Right.

I will also hide the bad versions on the downloads (and redirect them to current).

On Apr 4, 2017 14:46, "Dan Little" <[hidden email]> wrote:
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

TC Haddad

Hey Dan,

FWIW, the text of your proposed email looks good. I think you could replace the three references to 'bug' with 'security issue' and that is more likely to get people's attention / quick action.

I feel like when there are security releases in other projects, the information on the users list is kept to a minimum - just the facts of the release, relevant download links, and not a lot of info on the nature of the exploit.

So given that you could even just end your first paragraph after "earlier versions of the 2.X series may also be affected."... if you think that's enough detail.

Tanya



On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <[hidden email]> wrote:
Right.

I will also hide the bad versions on the downloads (and redirect them to current).

On Apr 4, 2017 14:46, "Dan Little" <[hidden email]> wrote:
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

James Klassen-2
Good points.

Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.

On Apr 4, 2017 15:42, "TC Haddad" <[hidden email]> wrote:

Hey Dan,

FWIW, the text of your proposed email looks good. I think you could replace the three references to 'bug' with 'security issue' and that is more likely to get people's attention / quick action.

I feel like when there are security releases in other projects, the information on the users list is kept to a minimum - just the facts of the release, relevant download links, and not a lot of info on the nature of the exploit.

So given that you could even just end your first paragraph after "earlier versions of the 2.X series may also be affected."... if you think that's enough detail.

Tanya



On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <[hidden email]> wrote:
Right.

I will also hide the bad versions on the downloads (and redirect them to current).

On Apr 4, 2017 14:46, "Dan Little" <[hidden email]> wrote:
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

Dan Little-2
I just heard back from Jeff, he's going to have a new MS4W package in the morning.  Barring objection, I'd like to save the larger public announcement until then as we know all the packages are then up to date.

On Tue, Apr 4, 2017 at 3:51 PM, James Klassen <[hidden email]> wrote:
Good points.

Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.

On Apr 4, 2017 15:42, "TC Haddad" <[hidden email]> wrote:

Hey Dan,

FWIW, the text of your proposed email looks good. I think you could replace the three references to 'bug' with 'security issue' and that is more likely to get people's attention / quick action.

I feel like when there are security releases in other projects, the information on the users list is kept to a minimum - just the facts of the release, relevant download links, and not a lot of info on the nature of the exploit.

So given that you could even just end your first paragraph after "earlier versions of the 2.X series may also be affected."... if you think that's enough detail.

Tanya



On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <[hidden email]> wrote:
Right.

I will also hide the bad versions on the downloads (and redirect them to current).

On Apr 4, 2017 14:46, "Dan Little" <[hidden email]> wrote:
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc



_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

James Klassen-2

I'd vote announce.  The announcement has the fix to existing users attached (update download.php).


On 04/04/2017 05:05 PM, Dan Little wrote:
I just heard back from Jeff, he's going to have a new MS4W package in the morning.  Barring objection, I'd like to save the larger public announcement until then as we know all the packages are then up to date.

On Tue, Apr 4, 2017 at 3:51 PM, James Klassen <[hidden email]> wrote:
Good points.

Also, I have made 2.7.2, 2.8.2, and 2.9.3 releases with the fix.

On Apr 4, 2017 15:42, "TC Haddad" <[hidden email]> wrote:

Hey Dan,

FWIW, the text of your proposed email looks good. I think you could replace the three references to 'bug' with 'security issue' and that is more likely to get people's attention / quick action.

I feel like when there are security releases in other projects, the information on the users list is kept to a minimum - just the facts of the release, relevant download links, and not a lot of info on the nature of the exploit.

So given that you could even just end your first paragraph after "earlier versions of the 2.X series may also be affected."... if you think that's enough detail.

Tanya



On Tue, Apr 4, 2017 at 12:48 PM, James Klassen <[hidden email]> wrote:
Right.

I will also hide the bad versions on the downloads (and redirect them to current).

On Apr 4, 2017 14:46, "Dan Little" <[hidden email]> wrote:
I suspect it will be but don't want to be offering fresh downloads with the bug. 

On Tue, Apr 4, 2017 at 2:44 PM, James Klassen <[hidden email]> wrote:
Yep, this deserves immediate action.   will build new releases of the 2.7+ branches as soon as I can.

Although people dropping in the updated download.php from master is probably the qucker and easier patch.



On Apr 4, 2017 14:23, "Dan Little" <[hidden email]> wrote:
Hey Folks,

Looking for some advice on how to handle a GeoMoose Security bug.  A user reported earlier today that the download.php script allowed for file system traversal by normalizing paths.  E.g: 
http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd

The call above was actually returning the password file.   I have a new version of download.php that I've put into master, r2.7, r2.8, r2.9. It can be seen here:


The user's list should be notified immediately but I suspect it would be good for us to have instructions written and new packages available.  

Here's my draft for the user's list:

(start)

ALL USERS!!!

A bug in GeoMoose was identified that affects many  versions of GeoMoose.  The earliest version of the bug we have been able to identify is GeoMoose 2.7 but earlier versions of the 2.X series may also be affected.  This bug allows a well crafted URL to access the contents of nearly any file on the file system. 

The fix for this is easy and works the same for all versions of GeoMoose.  Find your copy of "download.php" and replace it with this one:


This version has been tested and does not exhibit the bug.

*Please* update your GeoMoose installations as soon as possible.

Thank You,

The GeoMoose Team

(end)

Any feed back is welcome, please let me know! If I don't hear from anyone by tomorrow morning I'm going to drop the above message.


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc


_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc




_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PHP file system traversal vulnerability.

jmckenna
Administrator
In reply to this post by Dan Little-2
MS4W has been updated (the setup.exe now points to 2.9.3, and the
downloads page has been updated: http://ms4w.com/download.html)

-jeff



On 2017-04-04 4:23 PM, Dan Little wrote:

> Hey Folks,
>
> Looking for some advice on how to handle a GeoMoose Security bug.  A
> user reported earlier today that the download.php script allowed for
> file system traversal by normalizing paths.  E.g:
>
>     http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd
>     <http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd>
>
>
> The call above was actually returning the password file.   I have a new
> version of download.php that I've put into master, r2.7, r2.8, r2.9. It
> can be seen here:
>
> - https://github.com/geomoose/geomoose-services/blob/master/php/download.php
>
> The user's list should be notified immediately but I suspect it would be
> good for us to have instructions written and new packages available.
>
> Here's my draft for the user's list:
>
> (start)
>
> ALL USERS!!!
>
> A bug in GeoMoose was identified that affects many  versions of
> GeoMoose.  The earliest version of the bug we have been able to identify
> is GeoMoose 2.7 but earlier versions of the 2.X series may also be
> affected.  This bug allows a well crafted URL to access the contents of
> nearly any file on the file system.
>
> The fix for this is easy and works the same for all versions of
> GeoMoose.  Find your copy of "download.php" and replace it with this one:
>
> - https://github.com/geomoose/geomoose-services/raw/master/php/download.php
>
> This version has been tested and does not exhibit the bug.
>
> *Please* update your GeoMoose installations as soon as possible.
>
> Thank You,
>
> The GeoMoose Team
>
> (end)
>
> Any feed back is welcome, please let me know! If I don't hear from
> anyone by tomorrow morning I'm going to drop the above message.
>
>
>
_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Loading...