[Project_owners] [URGENT] Action required: mozdev security flaw

Jesper Staun Hansen jesper at staunhansen.dk
Wed Sep 29 10:43:06 PDT 2010


How would this "fix" the bug at hand?

On Wed, Sep 29, 2010 at 4:37 PM, Pete Collins <pete at mozdevgroup.com> wrote:

>  I just added a rule that will redirect all *.php files to *.php.html
>
> Please lets test this out and see if it works.
>
> I added new .php.html files in mycroft for your P2's.
>
> I'm not sure what you are actually doing with these files but let's see if
> this solution works.
>
> Thanks
>
> --pete
>
>
>
>
> On 9/28/10 10:05 PM, Mycroft Project wrote:
>
>> I may have overestimated the difficulty of changing the P1 ones...
>> seems (and there may be something I've missed that comes back to haunt
>> me) that renaming to .php.html works
>> If you could set something up for the four I listed as P2 I'd be very
>> grateful - less urgent having hacked together what seems to be working
>> for installs though.
>> I don't know if it would help... and I haven't tested this yet... but
>> if it would be easier I could create eg updateos.php.html if you can
>> get .php to forward to it IYSWIM...
>> Run out of steam for the day though - let's work something out over
>> the next few days... poss better to take it off list as well to avoid
>> boring everyone else.
>>
>> Charles
>>
>> On 29 September 2010 03:56, Pete Collins<pete at mozdevgroup.com>  wrote:
>>
>>>  I will work on a solution tomorrow.
>>>
>>> Thanks for going through the pain with us.
>>>
>>> --pete
>>>
>>>
>>>
>>> On 9/28/10 8:48 PM, Mycroft Project wrote:
>>>
>>>> I don't really know how the back end works...
>>>> Ideally I'd like the following to work as before:
>>>> (P1)
>>>> http://mycroft.mozdev.org/installos.php
>>>> http://mycroft.mozdev.org/install.php
>>>> (P2)
>>>> http://mycroft.mozdev.org/updateos.php
>>>> http://mycroft.mozdev.org/update.php
>>>> http://mycroft.mozdev.org/externalos.php
>>>> http://mycroft.mozdev.org/external.php
>>>> (P3)
>>>> http://mycroft.mozdev.org/judge.php
>>>> http://mycroft.mozdev.org/nowrapper/submit-install.php
>>>>
>>>> (They need to miss the templating side)
>>>> If we can get a solution for the first two I'm much more relaxed about
>>>> sorting out the rest over the next few days...
>>>> It's possible something else is being masked by the first two not
>>>> working but I can't see / think of anything else significant at the
>>>> moment.
>>>>
>>>> Charles
>>>>
>>>> (I realise you're volunteering and I do appreciate it... it may not be
>>>> quite so evident at 0347 though...!)
>>>>
>>>> On 29 September 2010 03:35, Pete Collins<pete at mozdevgroup.com>
>>>>  wrote:
>>>>
>>>>>  Yea, this is a tough one to solve ...
>>>>>
>>>>> The only solution I can think of is I would have to re-enable .php
>>>>> extension
>>>>> on the server, then use mod rewrite rules to block it in all instances
>>>>> *except* mycroft.
>>>>>
>>>>> This is hours of work for me and I like yourself am doing this as a
>>>>> volunteer.
>>>>>
>>>>> What if put in a server redirect for those specific files?
>>>>>
>>>>> Would that work?
>>>>>
>>>>> --pete
>>>>>
>>>>>
>>>>>
>>>>> On 9/28/10 8:24 PM, Mycroft Project wrote:
>>>>>
>>>>>> There are places where it can be changed fairly easily - I could cope
>>>>>> with
>>>>>> that.
>>>>>> There are some places where it is much more difficult...
>>>>>>
>>>>>> All of the search plugins that have been installed look for updates at
>>>>>> eg:
>>>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.xml and
>>>>>> http://mycroft.mozdev.org/updateos.php/id0/mycroft.ico
>>>>>>
>>>>>> All new installs currently use eg:
>>>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.xml
>>>>>> http://mycroft.mozdev.org/installos.php/12627/mycroft.ico
>>>>>> It's possible that these could be changed with some work but there are
>>>>>> a number of issues - it's not just a file name change.
>>>>>>
>>>>>> Anyone who is linking to search plugins hosted on Mycroft as per:
>>>>>> http://mycroft.mozdev.org/developer/hosting.html will be broken.
>>>>>>
>>>>>> I'd be very grateful if you could help make my life easier...
>>>>>> Really would rather avoid major work...
>>>>>>
>>>>>> Charles
>>>>>>
>>>>>> On 29 September 2010 03:16, Eric H. Jung<grimholtz at yahoo.com>
>>>>>>  wrote:
>>>>>>
>>>>>>> On Tue, Sep 28, 2010 at 8:59 PM, Mycroft Project
>>>>>>> <mycroft.mozdev.org at gmail.com>      wrote:
>>>>>>>
>>>>>>>> so why are you still letting me run it at all?
>>>>>>>> there must be a way of achieving a better position than the current
>>>>>>>>
>>>>>>>>  You are right; there probably is, but it likely requires a massive
>>>>>>> rewrite
>>>>>>> and/or audit of mozdev.org code. We don't have the resources for
>>>>>>> that
>>>>>>> right
>>>>>>> now.
>>>>>>>
>>>>>>> Pete, is it possible to enable .php file execution for selective
>>>>>>> projects
>>>>>>> (e.g., mycroft)?
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Project_owners mailing list
>>>>>>> Project_owners at mozdev.org
>>>>>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>>>>>
>>>>>>>
>>>>>>>  --
>>>>> Pete Collins - Founder, Mozdev Group Inc.
>>>>> www.mozdevgroup.com
>>>>> Mozilla Software Development Solutions
>>>>> tel: 1-719-302-5811
>>>>> fax: 1-719-302-5813
>>>>>
>>>>> _______________________________________________
>>>>> Project_owners mailing list
>>>>> Project_owners at mozdev.org
>>>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>>>
>>>>>
>>>>  --
>>> Pete Collins - Founder, Mozdev Group Inc.
>>> www.mozdevgroup.com
>>> Mozilla Software Development Solutions
>>> tel: 1-719-302-5811
>>> fax: 1-719-302-5813
>>>
>>> _______________________________________________
>>> Project_owners mailing list
>>> Project_owners at mozdev.org
>>> https://www.mozdev.org/mailman/listinfo/project_owners
>>>
>>>
>>
>>
> --
> Pete Collins - Founder, Mozdev Group Inc.
> www.mozdevgroup.com
> Mozilla Software Development Solutions
> tel: 1-719-302-5811
> fax: 1-719-302-5813
>
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> https://www.mozdev.org/mailman/listinfo/project_owners
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mozdev.org/pipermail/project_owners/attachments/20100929/eaae8a10/attachment.html>


More information about the Project_owners mailing list