[Project_owners] [URGENT] Action required: mozdev security flaw

Mycroft Project mycroft.mozdev.org at gmail.com
Tue Sep 28 19:48:18 PDT 2010


I don't really know how the back end works...
Ideally I'd like the following to work as before:
(P1)
http://mycroft.mozdev.org/installos.php
http://mycroft.mozdev.org/install.php
(P2)
http://mycroft.mozdev.org/updateos.php
http://mycroft.mozdev.org/update.php
http://mycroft.mozdev.org/externalos.php
http://mycroft.mozdev.org/external.php
(P3)
http://mycroft.mozdev.org/judge.php
http://mycroft.mozdev.org/nowrapper/submit-install.php

(They need to miss the templating side)
If we can get a solution for the first two I'm much more relaxed about
sorting out the rest over the next few days...
It's possible something else is being masked by the first two not
working but I can't see / think of anything else significant at the
moment.

Charles

(I realise you're volunteering and I do appreciate it... it may not be
quite so evident at 0347 though...!)

On 29 September 2010 03:35, Pete Collins <pete at mozdevgroup.com> wrote:
>  Yea, this is a tough one to solve ...
>
> The only solution I can think of is I would have to re-enable .php extension
> on the server, then use mod rewrite rules to block it in all instances
> *except* mycroft.
>
> This is hours of work for me and I like yourself am doing this as a
> volunteer.
>
> What if put in a server redirect for those specific files?
>
> Would that work?
>
> --pete
>
>
>
> On 9/28/10 8:24 PM, Mycroft Project wrote:
>>
>> There are places where it can be changed fairly easily - I could cope with
>> that.
>> There are some places where it is much more difficult...
>>
>> All of the search plugins that have been installed look for updates at eg:
>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.xml and
>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.ico
>>
>> All new installs currently use eg:
>> http://mycroft.mozdev.org/installos.php/12627/mycroft.xml
>> http://mycroft.mozdev.org/installos.php/12627/mycroft.ico
>> It's possible that these could be changed with some work but there are
>> a number of issues - it's not just a file name change.
>>
>> Anyone who is linking to search plugins hosted on Mycroft as per:
>> http://mycroft.mozdev.org/developer/hosting.html will be broken.
>>
>> I'd be very grateful if you could help make my life easier...
>> Really would rather avoid major work...
>>
>> Charles
>>
>> On 29 September 2010 03:16, Eric H. Jung<grimholtz at yahoo.com>  wrote:
>>>
>>> On Tue, Sep 28, 2010 at 8:59 PM, Mycroft Project
>>> <mycroft.mozdev.org at gmail.com>  wrote:
>>>>
>>>> so why are you still letting me run it at all?
>>>> there must be a way of achieving a better position than the current
>>>>
>>> You are right; there probably is, but it likely requires a massive
>>> rewrite
>>> and/or audit of mozdev.org code. We don't have the resources for that
>>> right
>>> now.
>>>
>>> Pete, is it possible to enable .php file execution for selective projects
>>> (e.g., mycroft)?
>>>
>>>
>>> _______________________________________________
>>> Project_owners mailing list
>>> Project_owners at mozdev.org
>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>
>>>
>>
>>
>
> --
> Pete Collins - Founder, Mozdev Group Inc.
> www.mozdevgroup.com
> Mozilla Software Development Solutions
> tel: 1-719-302-5811
> fax: 1-719-302-5813
>
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> https://www.mozdev.org/mailman/listinfo/project_owners
>



-- 
Charles Caygill
Mycroft Project Owner
http://mycroft.mozdev.org


More information about the Project_owners mailing list