Your message dated Sat, 08 Oct 2005 13:02:29 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#332290: fixed in horde3 3.0.5-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Oct 2005 17:18:07 +0000
>From [EMAIL PROTECTED] Wed Oct 05 10:18:07 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl254-118-016.nyc1.dsl.speakeasy.net (localhost.localdomain)
[216.254.118.16]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ENCu7-00041c-00; Wed, 05 Oct 2005 10:18:07 -0700
Received: from stew by localhost.localdomain with local (Exim 4.52)
id 1ENCtd-00025Q-4d; Wed, 05 Oct 2005 13:17:37 -0400
Date: Wed, 5 Oct 2005 13:17:37 -0400
From: Mike O'Connor <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: horde3: Application is in a severely insecure state during
configuration
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.17
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: horde3
Version: 3.0.5-1
Severity: critical
Tags: security
Justification: root security hole
As part of the installation procedure in README.Debian, you are told to
configure horde3 via a web interface. This is done using an
Administrator account which requires no password. In the time that the
application is in this state, anyone who goes to the website is
automatically logged in as Administrator with no password. The
Administrative account is granted access to 3 tools that look extremely
dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't
determine what phpshell.php does. However when i used the cmdshell.php
I was able to execute arbitrary commands as the www-user. For instance
I was able to successfully execute "cat /etc/passwd". This is horribly
unacceptable.
I would recommend that cmdshell.php and sqlshell.php be removed. They
are a much bigger security hole than they are worth. I don't know what
phpshell.php does, but I wouldn't be suprised if it were in this same
category.
I also would recommend that a password be required do use the
Administration interface.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages horde3 depends on:
ii apache [httpd] 1.3.33-7 versatile, high-performance HTTP s
ii libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4-cli [phpapi-20020918] 4:4.3.10-15 command-line interpreter for the p
ii php4-domxml 4:4.3.10-15 XMLv2 module for php4
ii php4-pear 4:4.3.10-15 PEAR - PHP Extension and Applicati
ii php4-pear-log 1.6.0-1.1 Log module for PEAR
Versions of packages horde3 recommends:
ii logrotate 3.7.1-2 Log rotation utility
pn php-date <none> (no description available)
pn php-file <none> (no description available)
pn php-mail-mime <none> (no description available)
pn php-services-weather <none> (no description available)
pn php4-gd | php4-gd2 <none> (no description available)
pn php4-mcrypt <none> (no description available)
pn php4-mysql | php4-pgsql | php <none> (no description available)
-- no debconf information
---------------------------------------
Received: (at 332290-close) by bugs.debian.org; 8 Oct 2005 20:08:36 +0000
>From [EMAIL PROTECTED] Sat Oct 08 13:08:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EOKtp-0003DI-00; Sat, 08 Oct 2005 13:02:29 -0700
From: Ola Lundqvist <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#332290: fixed in horde3 3.0.5-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 08 Oct 2005 13:02:29 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: horde3
Source-Version: 3.0.5-2
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.0.5-2.diff.gz
to pool/main/h/horde3/horde3_3.0.5-2.diff.gz
horde3_3.0.5-2.dsc
to pool/main/h/horde3/horde3_3.0.5-2.dsc
horde3_3.0.5-2_all.deb
to pool/main/h/horde3/horde3_3.0.5-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ola Lundqvist <[EMAIL PROTECTED]> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 8 Oct 2005 21:10:48 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Ola Lundqvist <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 332276 332289 332290
Changes:
horde3 (3.0.5-2) unstable; urgency=high
.
* Configuration disabled by default, closes: #332290, #332289.
* Removed some crap from the README.Debian file, closes: #332276.
Files:
162aafc9623c3254790b319196c40c8d 615 web optional horde3_3.0.5-2.dsc
09a724e4437c94a7df9d7991d7b7b60c 7062 web optional horde3_3.0.5-2.diff.gz
b7fd825f055fdcc159385ff3e0143a91 3597976 web optional horde3_3.0.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDSB3XGKGxzw/lPdkRAtQeAKCBw/1B2tkcPZw9rHKL6VL1B58UmgCgmvf0
T+irgbIC29mwYzrYSyWdwhs=
=1A30
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
