Categorized | News, Open Source, PHP

Seagull 0.6.3 Remote File Disclosure Vulnerability – Please Upgrade

Posted on 25 January 2008 by Demian Turner

Well the title says it all, but I don’t think this is a reason for anyone to have a heart attack, aside from me but I’m recovered now ๐Ÿ˜‰

Please download Seagull 0.6.4 which includes the small fix required to solve the file disclosure problem.ย  0.6.3 is no longer available.

As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again ๐Ÿ˜‰

The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET – ouch.ย  The checking is now much more stringent.

Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn’t inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.

Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.

Bookmark and Share

3 Comments For This Post

  1. stefan Says:

    I don’t think this is open source at it’s best. open source at it’s best would be to have the vulnerability reported to you alone until a fix has been presented.

    but that’s the asses of milw0rm for you.

  2. Demian Turner Says:

    yeah, i was trying to convey that in my post .. am still very thankful for the insight.

  3. stefan Says:

    ah right, sorry. I did hear it slightly, but as you closed with the comment about open source at it’s best, I began to doubt ๐Ÿ˜‰

    What I personally find open source at it’s best is your speedy response in the release of a new version. Now *that* is open source at it’s best :)

Leave a Reply

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook