lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 5 May 2004 12:32:39 -0700
From: Jon McClintock <jammer@...k.org>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in P4DB



Product:        P4DB
URL:            http://www.mydata.se/ftp/P4DB/
Version:        P4DB v2.01 and earlier
Risk:           Multiple vunlerabilities (high)

Description:

P4DB is a CGI based tool that provides a web-based interface to Perforce
source code repositories. It is third-party software, developed by an
individual and unsupported by Perforce. I believe it is in use internally
at a large number of organizations, and installations can also be found
on the public Internet.


The Problem:

P4DB is very bad about validating user input. This leads to a multitude of
vulnerabilities, the most dangerous being unfiltered input passed to shell
commands. This allows for individuals to run arbitrary commands on the 
web server. Additionally, there are cross-site scripting issues throughout
the package.


The Fix:

The original developer of P4DB, Fredric Fredricson, appears to have dropped
off the Internet; he did not respond to inquiries made in late March, 2004.
The most recent release of P4DB was in 2001; he has submitted a multitude of
changes to the package source in the public Perforce repository (as recently
as March, 2004), but the security issues are still present in that code. 

I have contacted Perforce about the problem; they suggest that people migrate
to P4Web, a free package that provides the same functionality, developed and
maintained by Perforce themselves:

  http://www.perforce.com/perforce/products/p4web.html

Failing that, I've made a patch that fixes the security problems I've 
identified. You can download it at:

  http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt

However, given that it is essentially abandoned software, I strongly urge 
you to migrate away from it.

-Jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ