Seagull 0.6.3 Remote File Disclosure Vulnerability - Please Upgrade

January 24, 2008 01:14, contributed by: seagull

Well the title says it all, but I don't think this is a reason for anyone to have a heart attack, aside from me but I'm recovered now

Please download Seagull 0.6.4 which includes the small fix required to solve the file disclosure problem. 0.6.3 is no longer available.

As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again

The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET - ouch. The checking is now much more stringent.

Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn't inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.

Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.

[back to list]

comments


be the first to leave a comment
Enter your comment Note: Comments must be approved before being displayed.
   ###     #####    #####   ####### 
  #   #   #     #  #     #  #    #  
 #     #        #  #            #   
 #     #   #####   ######      #    
 #     #  #        #     #    #     
  #   #   #        #     #    #     
   ###    #######   #####     #     
 

At a Glance

Sponsors

  • Get programming homework help from professionals at Homework-Desk.com anytime!
  • HomeworkPal.com - homework help with biology, physics, math assignments.
  • Having problems with your assignment? Our homework help site can give you a hand with math, physics, programming and much more!
  • Free Usenet Trial
  • ecommerce website new zealand

Login

Username Password

Not Registered?
Forgot Your Password

*denotes required field

Community

 
Seagull PHP Framework

Sponsored by

The Seagull project is sponsored by Seagull Systems, see the range of products offered.

Readers