[Project_owners] [URGENT] Action required: mozdev security flaw

Mycroft Project mycroft.mozdev.org at gmail.com
Tue Sep 28 21:05:58 PDT 2010


I may have overestimated the difficulty of changing the P1 ones...
seems (and there may be something I've missed that comes back to haunt
me) that renaming to .php.html works
If you could set something up for the four I listed as P2 I'd be very
grateful - less urgent having hacked together what seems to be working
for installs though.
I don't know if it would help... and I haven't tested this yet... but
if it would be easier I could create eg updateos.php.html if you can
get .php to forward to it IYSWIM...
Run out of steam for the day though - let's work something out over
the next few days... poss better to take it off list as well to avoid
boring everyone else.

Charles

On 29 September 2010 03:56, Pete Collins <pete at mozdevgroup.com> wrote:
>  I will work on a solution tomorrow.
>
> Thanks for going through the pain with us.
>
> --pete
>
>
>
> On 9/28/10 8:48 PM, Mycroft Project wrote:
>>
>> I don't really know how the back end works...
>> Ideally I'd like the following to work as before:
>> (P1)
>> http://mycroft.mozdev.org/installos.php
>> http://mycroft.mozdev.org/install.php
>> (P2)
>> http://mycroft.mozdev.org/updateos.php
>> http://mycroft.mozdev.org/update.php
>> http://mycroft.mozdev.org/externalos.php
>> http://mycroft.mozdev.org/external.php
>> (P3)
>> http://mycroft.mozdev.org/judge.php
>> http://mycroft.mozdev.org/nowrapper/submit-install.php
>>
>> (They need to miss the templating side)
>> If we can get a solution for the first two I'm much more relaxed about
>> sorting out the rest over the next few days...
>> It's possible something else is being masked by the first two not
>> working but I can't see / think of anything else significant at the
>> moment.
>>
>> Charles
>>
>> (I realise you're volunteering and I do appreciate it... it may not be
>> quite so evident at 0347 though...!)
>>
>> On 29 September 2010 03:35, Pete Collins<pete at mozdevgroup.com>  wrote:
>>>
>>>  Yea, this is a tough one to solve ...
>>>
>>> The only solution I can think of is I would have to re-enable .php
>>> extension
>>> on the server, then use mod rewrite rules to block it in all instances
>>> *except* mycroft.
>>>
>>> This is hours of work for me and I like yourself am doing this as a
>>> volunteer.
>>>
>>> What if put in a server redirect for those specific files?
>>>
>>> Would that work?
>>>
>>> --pete
>>>
>>>
>>>
>>> On 9/28/10 8:24 PM, Mycroft Project wrote:
>>>>
>>>> There are places where it can be changed fairly easily - I could cope
>>>> with
>>>> that.
>>>> There are some places where it is much more difficult...
>>>>
>>>> All of the search plugins that have been installed look for updates at
>>>> eg:
>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.xml and
>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.ico
>>>>
>>>> All new installs currently use eg:
>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.xml
>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.ico
>>>> It's possible that these could be changed with some work but there are
>>>> a number of issues - it's not just a file name change.
>>>>
>>>> Anyone who is linking to search plugins hosted on Mycroft as per:
>>>> http://mycroft.mozdev.org/developer/hosting.html will be broken.
>>>>
>>>> I'd be very grateful if you could help make my life easier...
>>>> Really would rather avoid major work...
>>>>
>>>> Charles
>>>>
>>>> On 29 September 2010 03:16, Eric H. Jung<grimholtz at yahoo.com>    wrote:
>>>>>
>>>>> On Tue, Sep 28, 2010 at 8:59 PM, Mycroft Project
>>>>> <mycroft.mozdev.org at gmail.com>    wrote:
>>>>>>
>>>>>> so why are you still letting me run it at all?
>>>>>> there must be a way of achieving a better position than the current
>>>>>>
>>>>> You are right; there probably is, but it likely requires a massive
>>>>> rewrite
>>>>> and/or audit of mozdev.org code. We don't have the resources for that
>>>>> right
>>>>> now.
>>>>>
>>>>> Pete, is it possible to enable .php file execution for selective
>>>>> projects
>>>>> (e.g., mycroft)?
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Project_owners mailing list
>>>>> Project_owners at mozdev.org
>>>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>>>
>>>>>
>>>>
>>> --
>>> Pete Collins - Founder, Mozdev Group Inc.
>>> www.mozdevgroup.com
>>> Mozilla Software Development Solutions
>>> tel: 1-719-302-5811
>>> fax: 1-719-302-5813
>>>
>>> _______________________________________________
>>> Project_owners mailing list
>>> Project_owners at mozdev.org
>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>
>>
>>
>
> --
> Pete Collins - Founder, Mozdev Group Inc.
> www.mozdevgroup.com
> Mozilla Software Development Solutions
> tel: 1-719-302-5811
> fax: 1-719-302-5813
>
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> https://www.mozdev.org/mailman/listinfo/project_owners
>



-- 
Charles Caygill
Mycroft Project Owner
http://mycroft.mozdev.org


More information about the Project_owners mailing list