Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003751DoomseekerWebsitepublic2020-01-30 13:312020-02-04 14:20
ReporterWubTheCaptain 
Assigned ToWubTheCaptain 
PrioritynoneSeveritytrivialReproducibilityalways
StatusresolvedResolutionwon't fix 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0003751: PHP files are executed under indexed directories unnecessarily
DescriptionI don't see why a "static" directory indexes should be under PHP's allowed executable paths. My proposal for security in-depth is to disable executing PHP where it's not necessary.
There's no immediate threat here, as I don't believe anyone but (more or less) trusted webmasters can upload to the indexed directories.
Steps To Reproducehttps://doomseeker.drdteam.org/updates/ [^]
specifically,https://doomseeker.drdteam.org/updates/merge.php [^] is executed as a PHP script by anyone.
Additional InformationCaveat: I don't know what merge.php is.
Attached Files

- Relationships

-  Notes
User avatar (0021157)
WubTheCaptain (developer)
2020-01-30 13:33
edited on: 2020-01-30 13:33

The other path would be https://doomseeker.drdteam.org/files/, if not whitelisting allowed PHP scripts in the web root directory.

User avatar (0021181)
Blzut3 (administrator)
2020-01-31 22:48

drdteam.org is on a shared hosting provider so, no only do we not have access to the apache config, access controls are too coarse to make any work around actually have any effect. (I.e. anyone who would have access to that directory would also be able to just change any .htaccess rule put in place.)

merge.php combines some json objects into one. Its been awhile so I don't remember the exact purpose of the script. Zalewa may be able to comment on that and then afterwords we can close this ticket since there's nothing we can really do.

As a side note, as far as security is concerned there aren't any scripts which we don't expect users to poke at. So them being in a directory listing is harmless since their existence is not considered secret. That even goes for files reachable only by messing with the url like header.php and footer.php.
User avatar (0021182)
Zalewa (developer)
2020-02-02 10:36

IIRC originally there was no split between the "beta" and "stable" auto-update channels in terms of the JSON files. They were both in the same file. This was posing some complications with building of this file because the build script that creates this file only knows the current Doomseeker version it runs in. Thus it was impossible to build info for both channels from scratch. I/We figured that since Doomseeker is only interested in one of the channels at a time, we can safely split both channels into 2 files and thus remove the problem with the build script. Also, IIRC, we already released the first Doomseeker version that had the auto-updater that relied on the merged file, therefore we couldn't simply remove the old JSON files. Instead, the merge.php was made to redirect URLs to the old files. It builds the old merged format on the fly from the beta + stable files in the "new" separate format.

Since I'm pretty sure this will no longer be needed anymore by anyone, we could safely remove this feature from the website, ie. delete the merge.php script and its redirect from .htaccess.
User avatar (0021183)
WubTheCaptain (developer)
2020-02-04 14:20

Won't fix due to shared hosting infra.

Issue Community Support
This issue is already marked as resolved.
If you feel that is not the case, please reopen it and explain why.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2020-01-30 13:31 WubTheCaptain New Issue
2020-01-30 13:33 WubTheCaptain Note Added: 0021157
2020-01-30 13:33 WubTheCaptain Note Edited: 0021157 View Revisions
2020-01-31 12:45 WubTheCaptain Category Security => Website
2020-01-31 22:48 Blzut3 Note Added: 0021181
2020-02-02 10:36 Zalewa Note Added: 0021182
2020-02-04 14:16 WubTheCaptain Status new => acknowledged
2020-02-04 14:20 WubTheCaptain Note Added: 0021183
2020-02-04 14:20 WubTheCaptain Status acknowledged => resolved
2020-02-04 14:20 WubTheCaptain Resolution open => won't fix
2020-02-04 14:20 WubTheCaptain Assigned To => WubTheCaptain






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker