[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES
From: |
Jason Wies |
Subject: |
Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES |
Date: |
Thu, 3 Jul 2003 18:37:03 +0000 |
User-agent: |
Mutt/1.3.28i |
The VFS patch isn't correct. It's ok to have the files directory inside the
webroot as long as the admin is aware of the security problems and disables
scripts in the files directory. Common examples are web hosting, content
management, and sharing files outside the company. The attached patches:
- Set the default files path to be outside the webroot
- On the setup page, advise against using a files directory inside the webroot
- Link from the setup page to a document describing the security
recommendations for the location of the files directory. The document
includes examples of proper Apache configuration when the files directory is
inside the webroot.
To apply:
cd phpgroupware-version
patch -p1 <../patch-version.diff
cvs remove filemanager/doc/INSTALL
cvs add phpgwapi/doc/vfs/INSTALL
Jason Wies
On Thu, Jul 03, 2003 at 06:15:32PM +1000, Dave Hall wrote:
> Hi all,
>
> Please be aware there is minor security advisory for phpgw. See
> http://www.security-corporation.com/articles-20030702-005.html for more
> info.
>
> There is also a vfs security patch also. This prevents the vfs path
> being in the document root, which has been exploited in other php based
> groupware suites.
>
> We have fixed this in cvs for all branches (14, 16preRC and HEAD). This
> affects all previous versions of phpgroupare. We will be releasing
> packaged releases in about 12hours.
>
> Cheers
>
> Dave
patch-head.diff
Description: Text document
patch-0.9.16.diff
Description: Text document
patch-0.9.14.diff
Description: Text document