On Thu, 2005-10-06 at 23:53 +0200, Martin Lohmeier wrote: > Mike O'Connor wrote: > > Package: horde3 > > Version: 3.0.5-1 > > Severity: critical > > Tags: security > > Justification: root security hole > > > > As part of the installation procedure in README.Debian, you are told to > > configure horde3 via a web interface. This is done using an > > Administrator account which requires no password. In the time that the > > application is in this state, anyone who goes to the website is > > automatically logged in as Administrator with no password. The > > Administrative account is granted access to 3 tools that look extremely > > dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't > > determine what phpshell.php does. However when i used the cmdshell.php > > I was able to execute arbitrary commands as the www-user. For instance > > I was able to successfully execute "cat /etc/passwd". This is horribly > > unacceptable. > > > > I would recommend that cmdshell.php and sqlshell.php be removed. They > > are a much bigger security hole than they are worth. I don't know what > > phpshell.php does, but I wouldn't be suprised if it were in this same > > category. > > > > I also would recommend that a password be required do use the > > Administration interface. > > The security problem is your webserver & php. Set open_basedir for > example. And as long as you havn't configure horde (and you only can if > you change permission and ownship of the configuration files) you do not > have sql access and you cannot do anything with sqlshell.php. > > bye, Martin >
ok. sqlshell.php might be innocous, but cmdshell.php isn't. If they only way to configure horde securely is to do somehting with open_basedir, or something similar, that needs to be documented in README.Debian. Following the current instructions in README.Debian causes your webserver to be vulnerable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
