Hi kees, sorry for this delay :-(
I agree with, you about reject of OBM.
OBM is an old project which had make good code and bad code.
I had discuss with th principal developer of php. He work on background in
order to remove, and improve security on this.
I wouldlike say that obm require
** Changed in: obm (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) = Kees Cook (kees)
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
I've got to reject this. There has been absolutely no attempt to
protect this application from SQL injection.
For example:
function check_privacy($module, $table, $action, $id='', $p_uid='') {
...
$query = SELECT $field_pri, $field_uc FROM $table WHERE $field_id = '$id';
$obm_q = new DB_OBM;
** Changed in: obm (Ubuntu)
Importance: Undecided = Medium
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
waiting for input of ubuntu-security. Kees, with being the intersection
of ubuntu-mir and ubuntu-security, could you please take a look at this?
Thanks!
** Changed in: obm (Ubuntu)
Assignee: (unassigned) = Ubuntu Security Team (ubuntu-security)
Status: New = Incomplete
--
MIR for
** Changed in: obm (Ubuntu)
Status: Incomplete = In Progress
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
Subscribed Ubuntu Security: folks, obm is a not so small PHP app; it's
programming model seems coherent, but I think it'd be best if you could
take a look before we promote this to main.
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a
** Changed in: obm (Ubuntu)
Status: Incomplete = New
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
I have resolve this bugs:
1) nothing
2) I make a patch to disable this ;-)
3) Now debconf ask login and password for OBM global admin, so i upload new sql
file to remove all default users.
Do you have other suggestion to main inclusion?
Tonio had upload OBM 2.1.10-0ubuntu2 version, thank you
I have resolve this bugs:
1) nothing
2) I make a patch to disable this ;-)
3) Now debconf ask login and password for OBM global admin, so i upload new sql
file to remove all default users.
Do you have other suggestion to main inclusion?
Tonio had upload OBM 2.1.10-0ubuntu2 version, thank you
thanks for your review. So there is 3 bugs:
1 - the script $path/../auto/changePasswd.pl which use password on the command
line.
I agree with you and, I was discussed with all OBM dev team about this. But
in Ubuntu, it isn't a problem because all perl program aren't installed. This
part of
1) Thanks for the explanation, so we can ignore that one.
2) If you mean you will just entirely disable this, fine :-)
3) debconf is okay, unless the server team plans to install this by
default (then we cannot use debconf, it won't be shown). However, even
in the latter case, people could still
Sounds like a good plan; I didn't do a full security review though (I
don't claim to have enough background for such a review), but in the
light of the above issues, I think I will recommend that our security
team takes a look before/just after main inclusion.
--
MIR for obm
Regarding 3), no plan to install OBM by default, so I think we are safe.
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
There were multiple CVEs in previous versions of OBM (typical
web/PHP/input santizing issues: XSS, SQL injection), mostly affecting
previous 1.x series, what steps are taken in the package to ensure the
scripts aren't publicly exposed?
I would expect OBM to only be used by some key people in a
Thanks, Loic, for your review. The password passing and default
password definitively need to be fixed. Also, why does a calendar
application even need to know about sudo and shutting down the
machine?
** Changed in: obm (Ubuntu)
Status: New = Incomplete
--
MIR for obm
16 matches
Mail list logo