Bah, security!

Bah, security! [Wednesday, 09 September 2009 22:13]

Written by Dan Brown

As seen on the front page, we've been patching!

I don't think it was a major issue personally. Obviously being vulnerable is, but the particular method used for the remote code execution relies on very outdated and minimally secured server which should be almost non-existant.

To test we had fixed the problem we first had to set up a weak server. I turned off the php options on my local install... and the exploit still didn't work. Because of the flavour of Linux I use, Apache has extra security built in that wouldn't allow them to be off anyway (Suhosin). So I tried my live web server VPN and that had the options turned off by default (I'm not going to turn them off there as I have other sites running). My old web host that I still have a site hosted with, also secured. Eventually Rich got his Apache crippled enough to be exploitable and we could test it with and without the patch. My point is that even trying to be insecure still took us 4 attempts on different servers to succeed (or is that fail?). This method of PHP exploit is well known and you really do have to go out of your way to be a target.

Anyway, It's taken a chunk of time out of the new 1.2.1 development. These two security patches have been ported over to 1.2.1 now as it is different enough to not be mergeable due to the config system upgrades. The config is finished in both templates and fully working. It does still need adding to the installer though. We also added .gif and .png support as it was fast to throw in. There are a few more non-feature bits to do, mainly tidying up so almost there.

Comments

Add New