[Project_owners] [URGENT] Action required: mozdev security flaw

Pete Collins pete at mozdevgroup.com
Wed Sep 29 07:37:18 PDT 2010


  I just added a rule that will redirect all *.php files to *.php.html

Please lets test this out and see if it works.

I added new .php.html files in mycroft for your P2's.

I'm not sure what you are actually doing with these files but let's see 
if this solution works.

Thanks

--pete



On 9/28/10 10:05 PM, Mycroft Project wrote:
> I may have overestimated the difficulty of changing the P1 ones...
> seems (and there may be something I've missed that comes back to haunt
> me) that renaming to .php.html works
> If you could set something up for the four I listed as P2 I'd be very
> grateful - less urgent having hacked together what seems to be working
> for installs though.
> I don't know if it would help... and I haven't tested this yet... but
> if it would be easier I could create eg updateos.php.html if you can
> get .php to forward to it IYSWIM...
> Run out of steam for the day though - let's work something out over
> the next few days... poss better to take it off list as well to avoid
> boring everyone else.
>
> Charles
>
> On 29 September 2010 03:56, Pete Collins<pete at mozdevgroup.com>  wrote:
>>   I will work on a solution tomorrow.
>>
>> Thanks for going through the pain with us.
>>
>> --pete
>>
>>
>>
>> On 9/28/10 8:48 PM, Mycroft Project wrote:
>>> I don't really know how the back end works...
>>> Ideally I'd like the following to work as before:
>>> (P1)
>>> http://mycroft.mozdev.org/installos.php
>>> http://mycroft.mozdev.org/install.php
>>> (P2)
>>> http://mycroft.mozdev.org/updateos.php
>>> http://mycroft.mozdev.org/update.php
>>> http://mycroft.mozdev.org/externalos.php
>>> http://mycroft.mozdev.org/external.php
>>> (P3)
>>> http://mycroft.mozdev.org/judge.php
>>> http://mycroft.mozdev.org/nowrapper/submit-install.php
>>>
>>> (They need to miss the templating side)
>>> If we can get a solution for the first two I'm much more relaxed about
>>> sorting out the rest over the next few days...
>>> It's possible something else is being masked by the first two not
>>> working but I can't see / think of anything else significant at the
>>> moment.
>>>
>>> Charles
>>>
>>> (I realise you're volunteering and I do appreciate it... it may not be
>>> quite so evident at 0347 though...!)
>>>
>>> On 29 September 2010 03:35, Pete Collins<pete at mozdevgroup.com>    wrote:
>>>>   Yea, this is a tough one to solve ...
>>>>
>>>> The only solution I can think of is I would have to re-enable .php
>>>> extension
>>>> on the server, then use mod rewrite rules to block it in all instances
>>>> *except* mycroft.
>>>>
>>>> This is hours of work for me and I like yourself am doing this as a
>>>> volunteer.
>>>>
>>>> What if put in a server redirect for those specific files?
>>>>
>>>> Would that work?
>>>>
>>>> --pete
>>>>
>>>>
>>>>
>>>> On 9/28/10 8:24 PM, Mycroft Project wrote:
>>>>> There are places where it can be changed fairly easily - I could cope
>>>>> with
>>>>> that.
>>>>> There are some places where it is much more difficult...
>>>>>
>>>>> All of the search plugins that have been installed look for updates at
>>>>> eg:
>>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.xml and
>>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.ico
>>>>>
>>>>> All new installs currently use eg:
>>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.xml
>>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.ico
>>>>> It's possible that these could be changed with some work but there are
>>>>> a number of issues - it's not just a file name change.
>>>>>
>>>>> Anyone who is linking to search plugins hosted on Mycroft as per:
>>>>> http://mycroft.mozdev.org/developer/hosting.html will be broken.
>>>>>
>>>>> I'd be very grateful if you could help make my life easier...
>>>>> Really would rather avoid major work...
>>>>>
>>>>> Charles
>>>>>
>>>>> On 29 September 2010 03:16, Eric H. Jung<grimholtz at yahoo.com>      wrote:
>>>>>> On Tue, Sep 28, 2010 at 8:59 PM, Mycroft Project
>>>>>> <mycroft.mozdev.org at gmail.com>      wrote:
>>>>>>> so why are you still letting me run it at all?
>>>>>>> there must be a way of achieving a better position than the current
>>>>>>>
>>>>>> You are right; there probably is, but it likely requires a massive
>>>>>> rewrite
>>>>>> and/or audit of mozdev.org code. We don't have the resources for that
>>>>>> right
>>>>>> now.
>>>>>>
>>>>>> Pete, is it possible to enable .php file execution for selective
>>>>>> projects
>>>>>> (e.g., mycroft)?
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Project_owners mailing list
>>>>>> Project_owners at mozdev.org
>>>>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>>>>
>>>>>>
>>>> --
>>>> Pete Collins - Founder, Mozdev Group Inc.
>>>> www.mozdevgroup.com
>>>> Mozilla Software Development Solutions
>>>> tel: 1-719-302-5811
>>>> fax: 1-719-302-5813
>>>>
>>>> _______________________________________________
>>>> Project_owners mailing list
>>>> Project_owners at mozdev.org
>>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>>
>>>
>> --
>> Pete Collins - Founder, Mozdev Group Inc.
>> www.mozdevgroup.com
>> Mozilla Software Development Solutions
>> tel: 1-719-302-5811
>> fax: 1-719-302-5813
>>
>> _______________________________________________
>> Project_owners mailing list
>> Project_owners at mozdev.org
>> https://www.mozdev.org/mailman/listinfo/project_owners
>>
>
>

-- 
Pete Collins - Founder, Mozdev Group Inc.
www.mozdevgroup.com
Mozilla Software Development Solutions
tel: 1-719-302-5811
fax: 1-719-302-5813



More information about the Project_owners mailing list