Menu
▾
▴
Re: [Apc-aa-coders] [Apc-aa-general] RATHER BAD: sql_update.php3 security issue
|
From: Honza M. <hon...@ec...> - 2010-04-09 17:00:31
|
Hi, it must be horrible work to spot this bug Marek and thank you for it. It wasn't clever solution of the updates in AA. I'm sorry for your work. FYI, this bug was fixed 20.5.2009 by new version of sql_update - right before the 2.50.0 AA release. The bug is not present in any stable release of AA, nor in current develper version of AA. You need the database password for all sql_update.php3 operations (including database restore) right now. For all of you, who have AA installed from SVN between 2008-05-16 and 2009-05-20 without further updates, please update to last stable version of AA or at least delete the sql_update.php3 script. If you are not sure, just take a look at your apc-aa/sql_update.php3 page. If it looks like the one on Marek's screenshot (the Test and Repair links on the right), I'm talking to you. If you have any suggestions to the current AA update system, let me know. Honza Dne Čt 8. dubna 2010 Marek Tichy napsal(a): > Hi, > I've just been asked to solve a following mystery - AA reverting back > to where it was months or weeks ago for no obvious reason. > After a lot of digging I have found out that the culprit is the > sql_update.php3 script, which > > 1) restores from bck_ tables without password protection > 2) the (destructive) action is GET based > > this has resulted in a random spider or vulnerability scanner following > this link: > > /apc-aa/sql_update.php3?repair=AA_Optimize_Redefine_Site_Templates > > and reverting the site back to when the bck_ tables were created. > > I believe that normally the bck_ tables are deleted but in this case > they - for some reason (permissions, result of some manual backup etc..) > - were left alongside the live tables. > > I'd recommend the update script not to be executable by default. > > Best > Marek > > > > > --------------------------------------------------------------------------- > --- Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > "Did you get answers to your ActionApps-related queries? If yes, please > help the ActionApps community by uploading the answers onto appropriate > space in the ActionApps documentation wiki. See the *How to contribute* > section today http://actionapps.org/en/How_To_Contribute" > _______________________________________________ > apc-aa-general mailing list > apc...@li... > https://lists.sourceforge.net/lists/listinfo/apc-aa-general |
