Ola Lundqvist wrote:
> Hello
>
> On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
> > Package: horde3
> > Version: 3.0.5-1
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> >
> > As part of the installation procedure in README.Debian, you are told to
> > configure horde3 via a web interface. This is done using an
> > Administrator account which requires no password. In the time that the
> > application is in this state, anyone who goes to the website is
> > automatically logged in as Administrator with no password. The
> > Administrative account is granted access to 3 tools that look extremely
> > dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't
> > determine what phpshell.php does. However when i used the cmdshell.php
> > I was able to execute arbitrary commands as the www-user. For instance
> > I was able to successfully execute "cat /etc/passwd". This is horribly
> > unacceptable.
>
> Ohh my!
>
> > I would recommend that cmdshell.php and sqlshell.php be removed. They
> > are a much bigger security hole than they are worth. I don't know what
> > phpshell.php does, but I wouldn't be suprised if it were in this same
> > category.
>
> I agree that these should be moved to somewhere else.
>
> I agree that cmdshell and sqlshell is really dangerous
> and was not aware of them.
Did you check phpshell.php that Mike mentioned as well?
> > I also would recommend that a password be required do use the
> > Administration interface.
>
> The administration thing will be kept there as it do not have any write
> permission to any of the configuration files.
>
> Or do you have a good suggestion on how to have a password that is not
> predefined. To set a random one?
Depend on pwgen and generate one at install-time which will be stored
in /etc/horde3/admin-password and is mode 0600 or something?
Regards,
Joey
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
