|Anonymous | Login | Signup for a new account||2020-02-18 16:55 UTC|
|My View | View Issues | Change Log | Roadmap | Doomseeker Issue Support Ranking | Rules | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003751||Doomseeker||Website||public||2020-01-30 13:31||2020-02-04 14:20|
|Target Version||Fixed in Version|
|Summary||0003751: PHP files are executed under indexed directories unnecessarily|
|Description||I don't see why a "static" directory indexes should be under PHP's allowed executable paths. My proposal for security in-depth is to disable executing PHP where it's not necessary.|
There's no immediate threat here, as I don't believe anyone but (more or less) trusted webmasters can upload to the indexed directories.
|Steps To Reproduce||https://doomseeker.drdteam.org/updates/ [^]|
specifically,https://doomseeker.drdteam.org/updates/merge.php [^] is executed as a PHP script by anyone.
|Additional Information||Caveat: I don't know what merge.php is.|
edited on: 2020-01-30 13:33
The other path would be https://doomseeker.drdteam.org/files/, if not whitelisting allowed PHP scripts in the web root directory.
drdteam.org is on a shared hosting provider so, no only do we not have access to the apache config, access controls are too coarse to make any work around actually have any effect. (I.e. anyone who would have access to that directory would also be able to just change any .htaccess rule put in place.)
merge.php combines some json objects into one. Its been awhile so I don't remember the exact purpose of the script. Zalewa may be able to comment on that and then afterwords we can close this ticket since there's nothing we can really do.
As a side note, as far as security is concerned there aren't any scripts which we don't expect users to poke at. So them being in a directory listing is harmless since their existence is not considered secret. That even goes for files reachable only by messing with the url like header.php and footer.php.
IIRC originally there was no split between the "beta" and "stable" auto-update channels in terms of the JSON files. They were both in the same file. This was posing some complications with building of this file because the build script that creates this file only knows the current Doomseeker version it runs in. Thus it was impossible to build info for both channels from scratch. I/We figured that since Doomseeker is only interested in one of the channels at a time, we can safely split both channels into 2 files and thus remove the problem with the build script. Also, IIRC, we already released the first Doomseeker version that had the auto-updater that relied on the merged file, therefore we couldn't simply remove the old JSON files. Instead, the merge.php was made to redirect URLs to the old files. It builds the old merged format on the fly from the beta + stable files in the "new" separate format.
Since I'm pretty sure this will no longer be needed anymore by anyone, we could safely remove this feature from the website, ie. delete the merge.php script and its redirect from .htaccess.
|Won't fix due to shared hosting infra.|
This issue is already marked as resolved.
If you feel that is not the case, please reopen it and explain why.
|Supporters:||No one explicitly supports this issue yet.|
|Opponents:||No one explicitly opposes this issue yet.|
|2020-01-30 13:31||WubTheCaptain||New Issue|
|2020-01-30 13:33||WubTheCaptain||Note Added: 0021157|
|2020-01-30 13:33||WubTheCaptain||Note Edited: 0021157||View Revisions|
|2020-01-31 12:45||WubTheCaptain||Category||Security => Website|
|2020-01-31 22:48||Blzut3||Note Added: 0021181|
|2020-02-02 10:36||Zalewa||Note Added: 0021182|
|2020-02-04 14:16||WubTheCaptain||Status||new => acknowledged|
|2020-02-04 14:20||WubTheCaptain||Note Added: 0021183|
|2020-02-04 14:20||WubTheCaptain||Status||acknowledged => resolved|
|2020-02-04 14:20||WubTheCaptain||Resolution||open => won't fix|
|2020-02-04 14:20||WubTheCaptain||Assigned To||=> WubTheCaptain|
Questions or other issues? Contact Us.
|Copyright © 2000 - 2020 MantisBT Team|