MantisBT - Doomseeker
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0003751DoomseekerWebsitepublic2020-01-30 13:312021-08-07 16:53
ReporterWubTheCaptain 
Assigned ToWubTheCaptain 
PrioritynoneSeveritytrivialReproducibilityalways
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0003751: PHP files are executed under indexed directories unnecessarily
DescriptionI don't see why a "static" directory indexes should be under PHP's allowed executable paths. My proposal for security in-depth is to disable executing PHP where it's not necessary.
There's no immediate threat here, as I don't believe anyone but (more or less) trusted webmasters can upload to the indexed directories.
Steps To Reproduce'https://doomseeker.drdteam.org/updates/ [^]'
specifically,'https://doomseeker.drdteam.org/updates/merge.php [^]' is executed as a PHP script by anyone.
Additional InformationCaveat: I don't know what merge.php is.
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2020-01-30 13:31WubTheCaptainNew Issue
2020-01-30 13:33WubTheCaptainNote Added: 0021157
2020-01-30 13:33WubTheCaptainNote Edited: 0021157bug_revision_view_page.php?bugnote_id=21157#r12971
2020-01-31 12:45WubTheCaptainCategorySecurity => Website
2020-01-31 22:48Blzut3Note Added: 0021181
2020-02-02 10:36ZalewaNote Added: 0021182
2020-02-04 14:16WubTheCaptainStatusnew => acknowledged
2020-02-04 14:20WubTheCaptainNote Added: 0021183
2020-02-04 14:20WubTheCaptainStatusacknowledged => resolved
2020-02-04 14:20WubTheCaptainResolutionopen => won't fix
2020-02-04 14:20WubTheCaptainAssigned To => WubTheCaptain
2021-08-07 16:53Blzut3Statusresolved => closed

Notes
(0021157)
WubTheCaptain   
2020-01-30 13:33   
The other path would be https://doomseeker.drdteam.org/files/, if not whitelisting allowed PHP scripts in the web root directory.
(0021181)
Blzut3   
2020-01-31 22:48   
drdteam.org is on a shared hosting provider so, no only do we not have access to the apache config, access controls are too coarse to make any work around actually have any effect. (I.e. anyone who would have access to that directory would also be able to just change any .htaccess rule put in place.)

merge.php combines some json objects into one. Its been awhile so I don't remember the exact purpose of the script. Zalewa may be able to comment on that and then afterwords we can close this ticket since there's nothing we can really do.

As a side note, as far as security is concerned there aren't any scripts which we don't expect users to poke at. So them being in a directory listing is harmless since their existence is not considered secret. That even goes for files reachable only by messing with the url like header.php and footer.php.
(0021182)
Zalewa   
2020-02-02 10:36   
IIRC originally there was no split between the "beta" and "stable" auto-update channels in terms of the JSON files. They were both in the same file. This was posing some complications with building of this file because the build script that creates this file only knows the current Doomseeker version it runs in. Thus it was impossible to build info for both channels from scratch. I/We figured that since Doomseeker is only interested in one of the channels at a time, we can safely split both channels into 2 files and thus remove the problem with the build script. Also, IIRC, we already released the first Doomseeker version that had the auto-updater that relied on the merged file, therefore we couldn't simply remove the old JSON files. Instead, the merge.php was made to redirect URLs to the old files. It builds the old merged format on the fly from the beta + stable files in the "new" separate format.

Since I'm pretty sure this will no longer be needed anymore by anyone, we could safely remove this feature from the website, ie. delete the merge.php script and its redirect from .htaccess.
(0021183)
WubTheCaptain   
2020-02-04 14:20   
Won't fix due to shared hosting infra.