[Project_owners] [URGENT] Action required: mozdev security flaw

Jesper Staun Hansen jesper at staunhansen.dk
Tue Sep 28 23:58:59 PDT 2010


On Wed, Sep 29, 2010 at 6:05 AM, Mycroft Project <mycroft.mozdev.org@
gmail.com> wrote:

> I may have overestimated the difficulty of changing the P1 ones...
> seems (and there may be something I've missed that comes back to haunt
> me) that renaming to .php.html works
> If you could set something up for the four I listed as P2 I'd be very
> grateful - less urgent having hacked together what seems to be working
> for installs though.
> I don't know if it would help... and I haven't tested this yet... but
> if it would be easier I could create eg updateos.php.html if you can
> get .php to forward to it IYSWIM...
> Run out of steam for the day though - let's work something out over
> the next few days... poss better to take it off list as well to avoid
> boring everyone else.
>
> Charles
>
> On 29 September 2010 03:56, Pete Collins <pete at mozdevgroup.com> wrote:
> >  I will work on a solution tomorrow.
> >
> > Thanks for going through the pain with us.
> >
> > --pete
> >
> >
> >
> > On 9/28/10 8:48 PM, Mycroft Project wrote:
> >>
> >> I don't really know how the back end works...
> >> Ideally I'd like the following to work as before:
> >> (P1)
> >> http://mycroft.mozdev.org/installos.php
> >> http://mycroft.mozdev.org/install.php
> >> (P2)
> >> http://mycroft.mozdev.org/updateos.php
> >> http://mycroft.mozdev.org/update.php
> >> http://mycroft.mozdev.org/externalos.php
> >> http://mycroft.mozdev.org/external.php
> >> (P3)
> >> http://mycroft.mozdev.org/judge.php
> >> http://mycroft.mozdev.org/nowrapper/submit-install.php
> >>
> >> (They need to miss the templating side)
> >> If we can get a solution for the first two I'm much more relaxed about
> >> sorting out the rest over the next few days...
> >> It's possible something else is being masked by the first two not
> >> working but I can't see / think of anything else significant at the
> >> moment.
> >>
> >> Charles
> >>
> >> (I realise you're volunteering and I do appreciate it... it may not be
> >> quite so evident at 0347 though...!)
> >>
> >> On 29 September 2010 03:35, Pete Collins<pete at mozdevgroup.com>  wrote:
> >>>
> >>>  Yea, this is a tough one to solve ...
> >>>
> >>> The only solution I can think of is I would have to re-enable .php
> >>> extension
> >>> on the server, then use mod rewrite rules to block it in all instances
> >>> *except* mycroft.
> >>>
> >>> This is hours of work for me and I like yourself am doing this as a
> >>> volunteer.
> >>>
> >>> What if put in a server redirect for those specific files?
> >>>
> >>> Would that work?
> >>>
> >>> --pete
> >>>
> >>>
> >>>
> >>> On 9/28/10 8:24 PM, Mycroft Project wrote:
> >>>>
> >>>> There are places where it can be changed fairly easily - I could cope
> >>>> with
> >>>> that.
> >>>> There are some places where it is much more difficult...
> >>>>
> >>>> All of the search plugins that have been installed look for updates at
> >>>> eg:
> >>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.xml and
> >>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.ico
> >>>>
> >>>> All new installs currently use eg:
> >>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.xml
> >>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.ico
> >>>> It's possible that these could be changed with some work but there are
> >>>> a number of issues - it's not just a file name change.
> >>>>
> >>>> Anyone who is linking to search plugins hosted on Mycroft as per:
> >>>> http://mycroft.mozdev.org/developer/hosting.html will be broken.
> >>>>
> >>>> I'd be very grateful if you could help make my life easier...
> >>>> Really would rather avoid major work...
> >>>>
> >>>> Charles
> >>>>
> >>>> On 29 September 2010 03:16, Eric H. Jung<grimholtz at yahoo.com>
>  wrote:
> >>>>>
> >>>>> On Tue, Sep 28, 2010 at 8:59 PM, Mycroft Project
> >>>>> <mycroft.mozdev.org at gmail.com>    wrote:
> >>>>>>
> >>>>>> so why are you still letting me run it at all?
> >>>>>> there must be a way of achieving a better position than the current
> >>>>>>
> >>>>> You are right; there probably is, but it likely requires a massive
> >>>>> rewrite
> >>>>> and/or audit of mozdev.org code. We don't have the resources for
> that
> >>>>> right
> >>>>> now.
> >>>>>
> >>>>> Pete, is it possible to enable .php file execution for selective
> >>>>> projects
> >>>>> (e.g., mycroft)?
> >>>>>
> >>>>>
>

How is this even becoming a problem? Apache on a linux/BSD (I dont remember
what we're running) offers great security if configured.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mozdev.org/pipermail/project_owners/attachments/20100929/576a6810/attachment.html>


More information about the Project_owners mailing list