[Vtigercrm-developers] Potential Security Vulnerability

Tue Feb 21 14:25:35 PST 2006

I've never seen a php package that deletes the install folder, never
(and I've installed a lot of them).
most of them *tell you* to delete it (or rename it), tough, that's
very different.

and most of them, when you log in, tell you something like this:
"Hey, your install folder is still accesible !  delete it or make it
unaccesable"
(this is the check on login I was talking about)

$install_folder = 'install';
if (file_exists($install_folder)) {
   echo "stupid admin !";
}

/sak

On 2/21/06, Brian Devendorf <developer at infointegrated.com> wrote:
> Setting it unreadable will make it difficult if a user needs to reuse
> it down the road. Documenting that they need to reinstall those
> files, though, should be easy.
> User login checking won't work, because they are needed before the
> system is configured. The nice thing about deleting them is it
> provides a way for someone to reset the admin password if it is lost.
> They can upload the install directory and reset the password.
>
> The only other secure way I can think of is to allow it without
> authentication until the initial configuration is done. There needs
> to be a setting in config.php (or somewhere else) that sets this
> flag. Once the flag is set, the installation files are only
> functional if the admin is logged in. This would work as well.
>
> Most php apps I have dealt with have deletion of installation files
> as a step in their documentation for installing the package. I don't
> think deleting them is that drastic of a move. But I open to any
> truly secure options.
>
> Brian
>
> On Feb 21, 2006, at 2:05 PM, Sergio A. Kessler wrote:
>
> > I think deleting the whole folder is very rude.
> >
> > what about setting it unreadable for the httpd user ?
> >
> > or check it every time a user log in, then in case is readable for the
> > httpd user, put a big red pretty disturbing label at the top ? (I've
> > seen this in others systems)
> >
> > /sak
> >
> > On 2/21/06, Brian Devendorf <developer at infointegrated.com> wrote:
> >> I just created a ticket in Trac for a potential security
> >> vulnerability in
> >> vtiger:
> >> http://vtiger.fosslabs.com/cgi-bin/trac.cgi/ticket/25
> >> I also created a post in the forums as well:
> >> http://forums.vtiger.com/viewtopic.php?t=5704
> >>
> >> Here are the details:
> >> I know that most good systems admins would delete the install
> >> directories (I
> >> always do), but we are likely to have quite a few of the "uninitiated
> >> admins" installing vtiger. I would hate to leave vtiger open for
> >> attack. The
> >> install docs do not mention removing the install directory either.
> >> A hack on
> >> a vtiger install would not look good if it received any kind of
> >> press. This
> >> worst case scenario would force my company to switch to offering a
> >> different
> >> product. I really don't want to do that.
> >>
> >> Here are the contents of the ticket I submitted:
> >> If the install directory stays on the server after installation,
> >> an informed
> >> individual could change the admin password without any trouble at
> >> all, they
> >> could also view the mysql database and username information. With the
> >> current change in the branch, they could also change the SQL database
> >> (readonly tags removed). If the files in the install directory are
> >> removed
> >> after install, this risk will not exist. I have a diff that adds
> >> simple
> >> deletion of the install directory after completion of Setup Step 5.
> >>
> >> Here is the diff file I created for the branch:
> >>
> >>
> >>
> >> Please feel free to implement a solution to this risk however you
> >> feel it
> >> should be. My diff above is a bare bones solution to the problem.
> >> It does
> >> work, but I'm sure it could be done better. This was just a
> >> solution I put
> >> together in a few minutes to address what I believe is a critical
> >> hole.
> >>
> >>
> >> _______________________________________________
> >> This vtiger.com email is sponsored by: Zoho Writer. Are you still
> >> using your
> >> desktop word processor for typing documents? Try the AJAX enabled,
> >> collaboration-friendly online word processor, Zoho Writer for FREE
> >> instead!
> >> http://zohowriter.com/?vt
> >>
> >>
> >>
> >>
> >
> > _______________________________________________
> > This vtiger.com email is sponsored by: Zoho Writer. Are you still
> > using your desktop word processor for typing documents? Try the
> > AJAX enabled, collaboration-friendly online word processor, Zoho
> > Writer for FREE instead!
> > http://zohowriter.com/?vt
>
> _______________________________________________
> This vtiger.com email is sponsored by: Zoho Writer. Are you still using your desktop word processor for typing documents? Try the AJAX enabled, collaboration-friendly online word processor, Zoho Writer for FREE instead!
> http://zohowriter.com/?vt
>