Hello On Sun, Oct 09, 2005 at 10:17:22AM +0200, Martin Schulze wrote: > Ola Lundqvist wrote: > > Hello > > > > On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote: > > > Package: horde3 > > > Version: 3.0.5-1 > > > Severity: critical > > > Tags: security > > > Justification: root security hole > > > > > > As part of the installation procedure in README.Debian, you are told to > > > configure horde3 via a web interface. This is done using an > > > Administrator account which requires no password. In the time that the > > > application is in this state, anyone who goes to the website is > > > automatically logged in as Administrator with no password. The > > > Administrative account is granted access to 3 tools that look extremely > > > dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't > > > determine what phpshell.php does. However when i used the cmdshell.php > > > I was able to execute arbitrary commands as the www-user. For instance > > > I was able to successfully execute "cat /etc/passwd". This is horribly > > > unacceptable. > > > > Ohh my! > > > > > I would recommend that cmdshell.php and sqlshell.php be removed. They > > > are a much bigger security hole than they are worth. I don't know what > > > phpshell.php does, but I wouldn't be suprised if it were in this same > > > category. > > > > I agree that these should be moved to somewhere else. > > > > I agree that cmdshell and sqlshell is really dangerous > > and was not aware of them. > > Did you check phpshell.php that Mike mentioned as well?
I think it can be dangerous as well. > > > I also would recommend that a password be required do use the > > > Administration interface. > > > > The administration thing will be kept there as it do not have any write > > permission to any of the configuration files. > > > > Or do you have a good suggestion on how to have a password that is not > > predefined. To set a random one? > > Depend on pwgen and generate one at install-time which will be stored > in /etc/horde3/admin-password and is mode 0600 or something? I decided to completely disable horde3 until the admin decide to remove two lines in the configuration. This update is needed for sarge as well and I have prepared a package if you want. What I did was to add two lines to the /etc/horde/horde3/conf.php echo "Disabled by default ..." exit (0); I also updated the documentation. I can upload it to stable-proposed-updates if you want (or some other target if you like that better). Regards, // Ola > Regards, > > Joey > > -- > Life is too short to run proprietary software. -- Bdale Garbee > > Please always Cc to me when replying to me on the lists. > -- --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ---- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | http://www.opal.dhs.org Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
