Mike O'Connor wrote: > Package: horde3 > Version: 3.0.5-1 > Severity: critical > Tags: security > Justification: root security hole > > As part of the installation procedure in README.Debian, you are told to > configure horde3 via a web interface. This is done using an > Administrator account which requires no password. In the time that the > application is in this state, anyone who goes to the website is > automatically logged in as Administrator with no password. The > Administrative account is granted access to 3 tools that look extremely > dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't > determine what phpshell.php does. However when i used the cmdshell.php > I was able to execute arbitrary commands as the www-user. For instance > I was able to successfully execute "cat /etc/passwd". This is horribly > unacceptable. > > I would recommend that cmdshell.php and sqlshell.php be removed. They > are a much bigger security hole than they are worth. I don't know what > phpshell.php does, but I wouldn't be suprised if it were in this same > category. > > I also would recommend that a password be required do use the > Administration interface.
The security problem is your webserver & php. Set open_basedir for example. And as long as you havn't configure horde (and you only can if you change permission and ownship of the configuration files) you do not have sql access and you cannot do anything with sqlshell.php. bye, Martin -- Powered by Debian GNU / Linux
signature.asc
Description: OpenPGP digital signature
