[Popfile-announce] POPFile Security Advisory: Ability to read some files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Folks,

Just under one hour ago one of POPFile's developers reported to me that 
they had discovered a flaw in the way in which we handle the delivery of 
GIF/PNG/ICO/CSS/HTML files through the internal web browser.

The good news is that people using the default stealth mode 
configuration are NOT affected, the bad news is that we have found a 
security flaw (the last (and first!) one was in May 2003).

I already have a patch for this and will be testing it today for release 
tomorrow or Wednesday.  This will be v0.21.2, but I did not want to 
delay getting this information out to you.

WHO IS AFFECTED?

This will only affect you if:

1. You are running version v0.21.0 or v0.21.1

AND

2. You have DISABLED stealth mode (the default configuration is stealth 
mode which prevents anyone but you from connecting to your machine).

WHAT CAN I DO TO PROTECT MYSELF RIGHT NOW?

Go to the Security page and enable Stealth Mode for the UI.

WHAT EXACTLY COULD AN ATTACKER DO?

They could, if they create a special URL, retrieve aribtrary files from 
your machine (that POPFile has access to) that end with the extensions: 
.gif, .png, .ico, .css or .html.  In the case of .html they'd also have 
to be in a directory with manual/ in the path.  They would have to know 
the full path to the file, they cannot get a file listing or go searching.

NEXT

Sorry to have let this happen and I'll get a patch out ASAP that fixed 
the problem.  I guess we'd better start numbering the advisories, so 
this is officially PSA #2, you can still read about PSA #1 here:

https://sourceforge.net/mailarchive/forum.php?thread_id=2563459&forum_id=12356

John.