Bug 73021

Summary:	www-apps/phprojekt: critical error in setup.php allows to upload and start arbitrary scripts
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	B1 [glsa] vorlon
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2004-12-01 05:24:19 UTC

http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=189&mode=thread&order=0

fixed setup.php: http://phprojekt.com/files/4.2/setup.zip

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-01 05:38:53 UTC

web-apps pls provide an updated ebuild

rating this B1 for now, if it really allows to upload and execute scripts with the rights of the user running the webserver
carlo, web-apps, can you confirm that?

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-01 06:12:46 UTC

According to http://www.heise.de/security/news/meldung/53813 (German), this allows to upload and run any PHP-script with the standard test account. Furthermore it's said to be able to get the database password even without making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin M

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-01 06:12:46 UTC

According to http://www.heise.de/security/news/meldung/53813 (German), this allows to upload and run any PHP-script with the standard test account. Furthermore it's said to be able to get the database password even without making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin Münch of it.sec), are linking to the article mentioned above.

Comment 4 Carsten Lohrke (RETIRED) gentoo-dev

2004-12-01 06:16:10 UTC

Um, I wasn't 100% correct. I read here http://www.heise.de/newsticker/meldung/53813 about it. It's said, that it's possible to load and start arbitrary php-scripts via the test account and to obtain the db password w/o any account. I guess that the latter is possible locally only, but I won't install and test phprojekt. The information from the phprojekt guys isn't very helpful, too.

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-07 04:54:58 UTC

According to the phprojekt website this seems to allow unauthorized changes to the configuration, which, according to heise, could then allow uploading and execution of scripts using the default test account.

The tarball on their site seems to have the updated setup.php included already, our distfile mirrors are spreading the vulnerable version.

http://securitytracker.com/alerts/2004/Dec/1012369.html
http://secunia.com/advisories/13355/
_______

web-apps, pls verify and provide a fixed ebuild asap
This bug has been opened nearly a week ago.

Comment 6 Stuart Herbert (RETIRED) gentoo-dev

2004-12-07 05:47:14 UTC

phprojekt-4.2-r1 is now in the tree.  Sorry for the delay.

Best regards
Stu

Comment 7 Luke Macken (RETIRED) gentoo-dev

2004-12-07 07:04:37 UTC

archs, please mark phprojekt-4.2-r1 stable.

Comment 8 Jochen Maes (RETIRED) gentoo-dev

2004-12-08 00:34:49 UTC

stable on ppc

Comment 9 Olivier Crete (RETIRED) gentoo-dev

2004-12-08 12:17:55 UTC

x86 stable

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2004-12-10 14:33:57 UTC

GLSA sent, but lists are slow as hell, I didn't even received the gentoo-announce feedback... Probably will commit the mail tomorrow so please be patient.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2004-12-13 00:39:46 UTC

Reposted... now it works.
GLSA 200412-06