Hello On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote: > Package: horde3 > Version: 3.0.5-1 > Severity: critical > Tags: security > Justification: root security hole > > As part of the installation procedure in README.Debian, you are told to > configure horde3 via a web interface. This is done using an > Administrator account which requires no password. In the time that the > application is in this state, anyone who goes to the website is > automatically logged in as Administrator with no password. The > Administrative account is granted access to 3 tools that look extremely > dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't > determine what phpshell.php does. However when i used the cmdshell.php > I was able to execute arbitrary commands as the www-user. For instance > I was able to successfully execute "cat /etc/passwd". This is horribly > unacceptable.
Ohh my! > I would recommend that cmdshell.php and sqlshell.php be removed. They > are a much bigger security hole than they are worth. I don't know what > phpshell.php does, but I wouldn't be suprised if it were in this same > category. I agree that these should be moved to somewhere else. I agree that cmdshell and sqlshell is really dangerous and was not aware of them. > I also would recommend that a password be required do use the > Administration interface. The administration thing will be kept there as it do not have any write permission to any of the configuration files. Or do you have a good suggestion on how to have a password that is not predefined. To set a random one? Regards, // Ola > -- System Information: > Debian Release: testing/unstable > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.12-1-686 > Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) > > Versions of packages horde3 depends on: > ii apache [httpd] 1.3.33-7 versatile, high-performance HTTP > s > ii libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded > scripti > ii php4 4:4.3.10-15 server-side, HTML-embedded > scripti > ii php4-cli [phpapi-20020918] 4:4.3.10-15 command-line interpreter for the > p > ii php4-domxml 4:4.3.10-15 XMLv2 module for php4 > ii php4-pear 4:4.3.10-15 PEAR - PHP Extension and > Applicati > ii php4-pear-log 1.6.0-1.1 Log module for PEAR > > Versions of packages horde3 recommends: > ii logrotate 3.7.1-2 Log rotation utility > pn php-date <none> (no description available) > pn php-file <none> (no description available) > pn php-mail-mime <none> (no description available) > pn php-services-weather <none> (no description available) > pn php4-gd | php4-gd2 <none> (no description available) > pn php4-mcrypt <none> (no description available) > pn php4-mysql | php4-pgsql | php <none> (no description available) > > -- no debconf information > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
