| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Feb 2007 10:10:39 +0100 From: Cedric Blancher <blancher@...tel-securite.fr> To: Raphaël HUCK <raphael.huck@...e.fr> Cc: bugtraq@...urityfocus.com Subject: Re: DotClear Full Path Disclosure Vulnerability Le mardi 13 février 2007 à 08:34 +0100, Raphaël HUCK a écrit : > But you can use secure software (or modify the unsecure ones you have) We agree on the fact DotClear must be fixed on this, as for most people, neither changing the PHP conf nor modify the scripts is an option. Don't forget who this kind of apps is targetting... > I said "for example", as I know this is how MediaWiki does: > if ( ! defined( 'MEDIAWIKI' ) ) > die( 1 ); > How would you do it? If you look at the way thoses script are used, they actually need a specific context, starting with function calls that need variables to be set. Therefore, I think a more sustainable way of handling this could be to actually check this very context consistency. You can do this by testing needed variables value, add success test to funtions, etc. For instance, adding a test condition around fetch() call in list.php should do the trick... Another way of dealing with this could be ye old htaccess trick as recommended in layout or share directories for instance. But it's just a workaround to me. Now, to share my view from a broader point of vue, one should wonder why hostings does not provide offline repositories. I mean on most of them your FTP/SCP/whatever root _is_ your webroot. This means any object put there is accessible online. The fact is not all your webiste contents need to be directly accessible. Thus, if you shift your webroot to a dedicated directory, then you can start having PHP script offline. Take your example: none of the scripts you mention are refered as an URL. They're all included from other scripts, and thus are safe to put offline, as inclusion can refer scripts out of webroot. And this way, no one can call them directly. Period. I agree this kind of setting is not available to everyone, juste like PHP configuration. But for thoses who can handle this, it can be a good security measure. If you have a look at previous DotClear advisories, you'll understand clearly what it brings ;) The bad side of this lies in the fact that DotClear and many other apps are not written with this kind of setting in mind and it's not easy to achieve (not to mention additional plugins). It's already time consuming to adapt the application to thoses needs, and a real pain to maintain it, patching everything each time you have to update... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
Powered by blists - more mailing lists