[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] auditing the savannah code

From: Mathieu Roy
Subject: [Savannah-hackers] auditing the savannah code
Date: Sun, 28 Mar 2004 13:21:43 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

> Date: Sun, 28 Mar 2004 01:21:30 +0100
> From: "Lorenzo Hernandez Garcia-Hierro" <address@hidden>
> Subject: [Savannah-hackers] account at and auditing
>       the     savannah code
> To: "D. E. Evans" <address@hidden>
> Cc: address@hidden
> Message-ID: <address@hidden>
> Content-Type: text/plain;     charset="iso-8859-1"
> Hi,
> Finally i get working my account in .
> Other important thing:
> I am auditing the source code of savannah ( i got it by CVS and it is so
> much buggy

Please get your copy at <> , this is where
the development continue. The CVS at Savannah is out of
sync. Especially if you are looking at the trunk.

There are bugs open at <> but none is

>  ) and i discovered a big couple of vulnerabilities result of
> incorrect variable handling that can conduct for example in remote
> command execution ( using virtual shell provided by php commands and
> using the web server user rights )

I'd be very interested to get information about that. Several persons
reviewed the code previously and nothing really problematic was ever
found. Especially after the Savannah compromised, some persons publicly
questioned security of the Savannah code, without mentioning one line
that could explain the compromise.

At the time the server was compromised, there were unknown heavy
security holes in CVS and rsync, and known bugs in the running kernel
(ptrace, do_brk), largelly enough to completely compromise the
server. And at that time, the running version of Savannah was the old
trunk, before the CERN developments, so there is not much in common
with the current code. I remember having found some insecure stuff
while working at CERN on Savannah, but nothing that could lead to
remote exploit, in the worse case, it was just about inserting in the
database erroneous information, not impacting the system in anyway.

> .  I am preparing an audit paper ( currently i have wrote a lot but
> it is not finished ).  I am sending this message to savannah hackers
> too.  If help is needed ( in savannah ) i can work out with it ,
> patching and recoding some parts.

Please, send it first to address@hidden so we can take necessary
action to avoid any installation to be jeopardized, if there is a

Please do not send it to a public list like savannah-hackers until we
checked how it can affect the existing installation. 

In the meantime, I'd like to take a look to what you already wrote, so
I would be grateful if you can send it to me as soon as possible.

> I think we must recode savannah in order to stop using global/super
> global variables.

We are aware of the issue. There is a task open about that, but that's
an heavy work. However, we have tested potential problem with that,
and find nothing conclusive. Most PHP programs more than two years old
have this register globals issue. 


Mathieu Roy

  | General Homepage:              |
  | Computing Homepage:           |
  | Not a native english speaker:                                       |
  |  |

reply via email to

[Prev in Thread] Current Thread [Next in Thread]