[Phpgroupware-developers] Re: phpGroupWare security questions

[Dave Hall]

On Sun, 2004-07-11 at 07:28, security curmudgeon wrote:
> Hi Chris:
> 
> : the developers list is a better place for this question.
> 
> I didn't want to intrude if that wasn't the best place to mail =)
> 
> : Most of the security bugs in php were also noted on the major security 
> sites.
> 
> Actually they were extremely lacking in documenting all the vulnerabilites
> to date. Browsing through the changelog and other parts of your site
> revealed quite a few that missed CVE, ISS, SecurityFocus/BID, Secunia,
> SecurityTracker, et al. A quick search of these VDBs reveals:
> 
> Nessus: 0
> Snort: 0
> ISS: 7
> BID: 6
> Secunia: 7
> CVE: 7
> 
> Running through your site, the count is closer to 20 depending on how you
> classify a vulnerability. Some of the VDBs listed above will lump several
> SQL injections or path disclosures into a single entry, so the count is
> very subjective.

I plan to clean up the changeLog in preparation for the 0.9.16.001
release.  If you have anymore information which will allow anyone with
an interest in the security history of phpgw, please sent it my way, on
or off list.  Such as matching our bug #s or vuln reports to the
changeLog entries, this would be greatly appreciated.

> 
> : The versions you question are quite old now and completely unsupported.
> : The changes should be documented somewhere in the bug tracking system
> : either on savannah or sourceforge, but if you're simply interested in
> : patching I'd instead recommend upgrading to the latest, currently 0.9.16
> : and soon to be 0.9.16.001
> 
> I'm interested in vulnerability details, specifically disclosure date,
> severity and impact. I've gone through the bug tracking system twice, the
> first time using common search terms, the second time skimming the
> subject/titles. The ones I couldn't match up to changelog entries or find
> any other reference to are the ones I mailed about in hopes that one of
> your team had notes or archived mail.
> 

I must admit I did think about replying to Brain's first email to me off
list.  I decieded that providing information on long fixed holes in
phpgw wouldn't do any harm.  I think if people have any information
which can help Brain, post it here or to him directly.

Here is my attempt to explain them.

> : > 2002-01-02  Scott Moonen  <address@hidden>
> : >    * Fixed security hole in template system.
> : >
> : > [06022000] - Security fix for login.php3
> : >
> : > [06052000] - Fixed a few possiable security problems with addressbook

These were all before my time.

> : >
> : > [0.9.14.002]    This is a bug fix release for 0.9.14
> : >                 - Setup/Config:
> : >                   + overflow in phpgw_config table fixed
> : >                   + security hole plugged
> 

This was the 2 bug reports we discussed off list the other day - bug#s
1169 & 1171.  It should be noted that the meat space component of the
vuln is easily prevented by good sysadmin practice, close your browser
when you are done with the session.  I run heaps of firefox windows and
tabs - uptimes of 1wk+, while I use mozilla for internet banking and
other security sensitive tasks, then close it when i am done.

> Thanks for your time and help!

np

Cheers

Dave