Debian Bug report logs - #332290
horde3: Application is in a severely insecure state during configuration

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Mike O'Connor <stew@vireo.org>

Date: Wed, 5 Oct 2005 17:33:04 UTC

Severity: critical

Tags: security

Found in version horde3/3.0.5-1

Fixed in versions horde3/3.0.5-2, horde3/3.0.4-4sarge1

Done: Ola Lundqvist <opal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@vireo.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@vireo.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde3: Application is in a severely insecure state during configuration
Date: Wed, 5 Oct 2005 13:17:37 -0400
Package: horde3
Version: 3.0.5-1
Severity: critical
Tags: security
Justification: root security hole

As part of the installation procedure in README.Debian, you are told to
configure horde3 via a web interface.  This is done using an
Administrator account which requires no password.  In the time that the
application is in this state, anyone who goes to the website is
automatically logged in as Administrator with no password.  The
Administrative account is granted access to 3 tools that look extremely
dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
determine what phpshell.php does.  However when i used the cmdshell.php
I was able to execute arbitrary commands as the www-user.  For instance
I was able to successfully execute "cat /etc/passwd".  This is horribly
unacceptable.  

I would recommend that cmdshell.php and sqlshell.php be removed.  They
are a much bigger security hole than they are worth.  I don't know what
phpshell.php does, but I wouldn't be suprised if it were in this same
category.

I also would recommend that a password be required do use the
Administration interface.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages horde3 depends on:
ii  apache [httpd]               1.3.33-7    versatile, high-performance HTTP s
ii  libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cli [phpapi-20020918]   4:4.3.10-15 command-line interpreter for the p
ii  php4-domxml                  4:4.3.10-15 XMLv2 module for php4
ii  php4-pear                    4:4.3.10-15 PEAR - PHP Extension and Applicati
ii  php4-pear-log                1.6.0-1.1   Log module for PEAR

Versions of packages horde3 recommends:
ii  logrotate                     3.7.1-2    Log rotation utility
pn  php-date                      <none>     (no description available)
pn  php-file                      <none>     (no description available)
pn  php-mail-mime                 <none>     (no description available)
pn  php-services-weather          <none>     (no description available)
pn  php4-gd | php4-gd2            <none>     (no description available)
pn  php4-mcrypt                   <none>     (no description available)
pn  php4-mysql | php4-pgsql | php <none>     (no description available)

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Lohmeier <martin@mein-horde.de>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #10 received at 332290@bugs.debian.org (full text, mbox):

From: Martin Lohmeier <martin@mein-horde.de>
To: Mike O'Connor <stew@vireo.org>, 332290@bugs.debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Thu, 06 Oct 2005 23:53:27 +0200
[Message part 1 (text/plain, inline)]
Mike O'Connor wrote:
> Package: horde3
> Version: 3.0.5-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> As part of the installation procedure in README.Debian, you are told to
> configure horde3 via a web interface.  This is done using an
> Administrator account which requires no password.  In the time that the
> application is in this state, anyone who goes to the website is
> automatically logged in as Administrator with no password.  The
> Administrative account is granted access to 3 tools that look extremely
> dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> determine what phpshell.php does.  However when i used the cmdshell.php
> I was able to execute arbitrary commands as the www-user.  For instance
> I was able to successfully execute "cat /etc/passwd".  This is horribly
> unacceptable.  
> 
> I would recommend that cmdshell.php and sqlshell.php be removed.  They
> are a much bigger security hole than they are worth.  I don't know what
> phpshell.php does, but I wouldn't be suprised if it were in this same
> category.
> 
> I also would recommend that a password be required do use the
> Administration interface.

The security problem is your webserver & php. Set open_basedir for
example. And as long as you havn't configure horde (and you only can if
you change permission and ownship of the configuration files) you do not
have sql access and you cannot do anything with sqlshell.php.

bye, Martin

-- 

Powered by Debian GNU / Linux
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@vireo.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #15 received at 332290@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@vireo.org>
To: Martin Lohmeier <martin@mein-horde.de>
Cc: 332290@bugs.debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Thu, 06 Oct 2005 20:00:59 -0400
On Thu, 2005-10-06 at 23:53 +0200, Martin Lohmeier wrote:
> Mike O'Connor wrote:
> > Package: horde3
> > Version: 3.0.5-1
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> > 
> > As part of the installation procedure in README.Debian, you are told to
> > configure horde3 via a web interface.  This is done using an
> > Administrator account which requires no password.  In the time that the
> > application is in this state, anyone who goes to the website is
> > automatically logged in as Administrator with no password.  The
> > Administrative account is granted access to 3 tools that look extremely
> > dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> > determine what phpshell.php does.  However when i used the cmdshell.php
> > I was able to execute arbitrary commands as the www-user.  For instance
> > I was able to successfully execute "cat /etc/passwd".  This is horribly
> > unacceptable.  
> > 
> > I would recommend that cmdshell.php and sqlshell.php be removed.  They
> > are a much bigger security hole than they are worth.  I don't know what
> > phpshell.php does, but I wouldn't be suprised if it were in this same
> > category.
> > 
> > I also would recommend that a password be required do use the
> > Administration interface.
> 
> The security problem is your webserver & php. Set open_basedir for
> example. And as long as you havn't configure horde (and you only can if
> you change permission and ownship of the configuration files) you do not
> have sql access and you cannot do anything with sqlshell.php.
> 
> bye, Martin
> 

ok.  sqlshell.php might be innocous, but cmdshell.php isn't.  If they
only way to configure horde securely is to do somehting with
open_basedir, or something similar, that needs to be documented in
README.Debian.  Following the current instructions in README.Debian
causes your webserver to be vulnerable.




Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #20 received at 332290@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Mike O'Connor <stew@vireo.org>, 332290@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Sat, 8 Oct 2005 20:27:42 +0200
Hello

On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
> Package: horde3
> Version: 3.0.5-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> As part of the installation procedure in README.Debian, you are told to
> configure horde3 via a web interface.  This is done using an
> Administrator account which requires no password.  In the time that the
> application is in this state, anyone who goes to the website is
> automatically logged in as Administrator with no password.  The
> Administrative account is granted access to 3 tools that look extremely
> dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> determine what phpshell.php does.  However when i used the cmdshell.php
> I was able to execute arbitrary commands as the www-user.  For instance
> I was able to successfully execute "cat /etc/passwd".  This is horribly
> unacceptable.  

Ohh my!

> I would recommend that cmdshell.php and sqlshell.php be removed.  They
> are a much bigger security hole than they are worth.  I don't know what
> phpshell.php does, but I wouldn't be suprised if it were in this same
> category.

I agree that these should be moved to somewhere else.

I agree that cmdshell and sqlshell is really dangerous
and was not aware of them.

> I also would recommend that a password be required do use the
> Administration interface.

The administration thing will be kept there as it do not have any write
permission to any of the configuration files.

Or do you have a good suggestion on how to have a password that is not
predefined. To set a random one?

Regards,

// Ola

> -- System Information:
> Debian Release: testing/unstable
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.12-1-686
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
> 
> Versions of packages horde3 depends on:
> ii  apache [httpd]               1.3.33-7    versatile, high-performance HTTP s
> ii  libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4-cli [phpapi-20020918]   4:4.3.10-15 command-line interpreter for the p
> ii  php4-domxml                  4:4.3.10-15 XMLv2 module for php4
> ii  php4-pear                    4:4.3.10-15 PEAR - PHP Extension and Applicati
> ii  php4-pear-log                1.6.0-1.1   Log module for PEAR
> 
> Versions of packages horde3 recommends:
> ii  logrotate                     3.7.1-2    Log rotation utility
> pn  php-date                      <none>     (no description available)
> pn  php-file                      <none>     (no description available)
> pn  php-mail-mime                 <none>     (no description available)
> pn  php-services-weather          <none>     (no description available)
> pn  php4-gd | php4-gd2            <none>     (no description available)
> pn  php4-mcrypt                   <none>     (no description available)
> pn  php4-mysql | php4-pgsql | php <none>     (no description available)
> 
> -- no debconf information
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #25 received at 332290@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Mike O'Connor <stew@vireo.org>, 332290@bugs.debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Sat, 8 Oct 2005 21:18:01 +0200
Hello

I now decided to disable horde3 entirelly by default. The admin need to remove
two lines to enable it again.
This solve most security issues.

Regards,

// Ola

On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
> Package: horde3
> Version: 3.0.5-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> As part of the installation procedure in README.Debian, you are told to
> configure horde3 via a web interface.  This is done using an
> Administrator account which requires no password.  In the time that the
> application is in this state, anyone who goes to the website is
> automatically logged in as Administrator with no password.  The
> Administrative account is granted access to 3 tools that look extremely
> dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> determine what phpshell.php does.  However when i used the cmdshell.php
> I was able to execute arbitrary commands as the www-user.  For instance
> I was able to successfully execute "cat /etc/passwd".  This is horribly
> unacceptable.  
> 
> I would recommend that cmdshell.php and sqlshell.php be removed.  They
> are a much bigger security hole than they are worth.  I don't know what
> phpshell.php does, but I wouldn't be suprised if it were in this same
> category.
> 
> I also would recommend that a password be required do use the
> Administration interface.
> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.12-1-686
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
> 
> Versions of packages horde3 depends on:
> ii  apache [httpd]               1.3.33-7    versatile, high-performance HTTP s
> ii  libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4-cli [phpapi-20020918]   4:4.3.10-15 command-line interpreter for the p
> ii  php4-domxml                  4:4.3.10-15 XMLv2 module for php4
> ii  php4-pear                    4:4.3.10-15 PEAR - PHP Extension and Applicati
> ii  php4-pear-log                1.6.0-1.1   Log module for PEAR
> 
> Versions of packages horde3 recommends:
> ii  logrotate                     3.7.1-2    Log rotation utility
> pn  php-date                      <none>     (no description available)
> pn  php-file                      <none>     (no description available)
> pn  php-mail-mime                 <none>     (no description available)
> pn  php-services-weather          <none>     (no description available)
> pn  php4-gd | php4-gd2            <none>     (no description available)
> pn  php4-mcrypt                   <none>     (no description available)
> pn  php4-mysql | php4-pgsql | php <none>     (no description available)
> 
> -- no debconf information
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mike O'Connor <stew@vireo.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 332290-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 332290-close@bugs.debian.org
Subject: Bug#332290: fixed in horde3 3.0.5-2
Date: Sat, 08 Oct 2005 13:02:29 -0700
Source: horde3
Source-Version: 3.0.5-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.5-2.diff.gz
  to pool/main/h/horde3/horde3_3.0.5-2.diff.gz
horde3_3.0.5-2.dsc
  to pool/main/h/horde3/horde3_3.0.5-2.dsc
horde3_3.0.5-2_all.deb
  to pool/main/h/horde3/horde3_3.0.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 21:10:48 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 332276 332289 332290
Changes: 
 horde3 (3.0.5-2) unstable; urgency=high
 .
   * Configuration disabled by default, closes: #332290, #332289.
   * Removed some crap from the README.Debian file, closes: #332276.
Files: 
 162aafc9623c3254790b319196c40c8d 615 web optional horde3_3.0.5-2.dsc
 09a724e4437c94a7df9d7991d7b7b60c 7062 web optional horde3_3.0.5-2.diff.gz
 b7fd825f055fdcc159385ff3e0143a91 3597976 web optional horde3_3.0.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDSB3XGKGxzw/lPdkRAtQeAKCBw/1B2tkcPZw9rHKL6VL1B58UmgCgmvf0
T+irgbIC29mwYzrYSyWdwhs=
=1A30
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #35 received at 332290@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: opal@debian.org, Mike O'Connor <stew@vireo.org>, 332290@bugs.debian.org, security@debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Sun, 9 Oct 2005 10:17:22 +0200
Ola Lundqvist wrote:
> Hello
> 
> On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
> > Package: horde3
> > Version: 3.0.5-1
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> > 
> > As part of the installation procedure in README.Debian, you are told to
> > configure horde3 via a web interface.  This is done using an
> > Administrator account which requires no password.  In the time that the
> > application is in this state, anyone who goes to the website is
> > automatically logged in as Administrator with no password.  The
> > Administrative account is granted access to 3 tools that look extremely
> > dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> > determine what phpshell.php does.  However when i used the cmdshell.php
> > I was able to execute arbitrary commands as the www-user.  For instance
> > I was able to successfully execute "cat /etc/passwd".  This is horribly
> > unacceptable.  
> 
> Ohh my!
> 
> > I would recommend that cmdshell.php and sqlshell.php be removed.  They
> > are a much bigger security hole than they are worth.  I don't know what
> > phpshell.php does, but I wouldn't be suprised if it were in this same
> > category.
> 
> I agree that these should be moved to somewhere else.
> 
> I agree that cmdshell and sqlshell is really dangerous
> and was not aware of them.

Did you check phpshell.php that Mike mentioned as well?

> > I also would recommend that a password be required do use the
> > Administration interface.
> 
> The administration thing will be kept there as it do not have any write
> permission to any of the configuration files.
> 
> Or do you have a good suggestion on how to have a password that is not
> predefined. To set a random one?

Depend on pwgen and generate one at install-time which will be stored
in /etc/horde3/admin-password and is mode 0600 or something?

Regards,

	Joey

-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to ola@opalsys.net:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #40 received at 332290@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <ola@opalsys.net>
To: Martin Schulze <joey@infodrom.org>
Cc: 332290@bugs.debian.org
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Sun, 9 Oct 2005 11:58:56 +0200
Hello

On Sun, Oct 09, 2005 at 10:17:22AM +0200, Martin Schulze wrote:
> Ola Lundqvist wrote:
> > Hello
> > 
> > On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
> > > Package: horde3
> > > Version: 3.0.5-1
> > > Severity: critical
> > > Tags: security
> > > Justification: root security hole
> > > 
> > > As part of the installation procedure in README.Debian, you are told to
> > > configure horde3 via a web interface.  This is done using an
> > > Administrator account which requires no password.  In the time that the
> > > application is in this state, anyone who goes to the website is
> > > automatically logged in as Administrator with no password.  The
> > > Administrative account is granted access to 3 tools that look extremely
> > > dangerous: cmdshell.php sqlshell.php and phpshell.php.  I didn't
> > > determine what phpshell.php does.  However when i used the cmdshell.php
> > > I was able to execute arbitrary commands as the www-user.  For instance
> > > I was able to successfully execute "cat /etc/passwd".  This is horribly
> > > unacceptable.  
> > 
> > Ohh my!
> > 
> > > I would recommend that cmdshell.php and sqlshell.php be removed.  They
> > > are a much bigger security hole than they are worth.  I don't know what
> > > phpshell.php does, but I wouldn't be suprised if it were in this same
> > > category.
> > 
> > I agree that these should be moved to somewhere else.
> > 
> > I agree that cmdshell and sqlshell is really dangerous
> > and was not aware of them.
> 
> Did you check phpshell.php that Mike mentioned as well?

I think it can be dangerous as well.

> > > I also would recommend that a password be required do use the
> > > Administration interface.
> > 
> > The administration thing will be kept there as it do not have any write
> > permission to any of the configuration files.
> > 
> > Or do you have a good suggestion on how to have a password that is not
> > predefined. To set a random one?
> 
> Depend on pwgen and generate one at install-time which will be stored
> in /etc/horde3/admin-password and is mode 0600 or something?

I decided to completely disable horde3 until the admin decide to
remove two lines in the configuration.

This update is needed for sarge as well and I have prepared a
package if you want.

What I did was to add two lines to the /etc/horde/horde3/conf.php
echo "Disabled by default ..."
exit (0);

I also updated the documentation. I can upload it to
stable-proposed-updates if you want (or some other target if
you like that better).

Regards,

// Ola

> Regards,
> 
> 	Joey
> 
> -- 
> Life is too short to run proprietary software.  -- Bdale Garbee
> 
> Please always Cc to me when replying to me on the lists.
> 

-- 
 --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/  ola@opalsys.net                   Annebergsslingan 37        \
|  opal@debian.org                   654 65 KARLSTAD            |
|  http://www.opal.dhs.org           Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332290; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #45 received at 332290@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Ola Lundqvist <ola@opalsys.net>
Cc: 332290@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#332290: horde3: Application is in a severely insecure state during configuration
Date: Sun, 9 Oct 2005 12:24:35 +0200
Ola Lundqvist wrote:
> > > > I also would recommend that a password be required do use the
> > > > Administration interface.
> > > 
> > > The administration thing will be kept there as it do not have any write
> > > permission to any of the configuration files.
> > > 
> > > Or do you have a good suggestion on how to have a password that is not
> > > predefined. To set a random one?
> > 
> > Depend on pwgen and generate one at install-time which will be stored
> > in /etc/horde3/admin-password and is mode 0600 or something?
> 
> I decided to completely disable horde3 until the admin decide to
> remove two lines in the configuration.
> 
> This update is needed for sarge as well and I have prepared a
> package if you want.
> 
> What I did was to add two lines to the /etc/horde/horde3/conf.php
> echo "Disabled by default ..."
> exit (0);

This does not give a note about why it was disabled, which would
probably be a good idea in case people install the package...

However, that file does not seem to be marked as configuration
file, so that the update would update all installations at once.

> I also updated the documentation. I can upload it to
> stable-proposed-updates if you want (or some other target if
> you like that better).

Before uploading it to the official archive, please give us a chance
to review it first.  Best would be to copy the files to a .debian.org
host or another address that can be accessed via lynx/wget.

Regards,

	Joey

-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.



Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mike O'Connor <stew@vireo.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 332290-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 332290-close@bugs.debian.org
Subject: Bug#332290: fixed in horde3 3.0.4-4sarge1
Date: Mon, 07 Nov 2005 01:02:07 -0800
Source: horde3
Source-Version: 3.0.4-4sarge1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge1.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz
horde3_3.0.4-4sarge1.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge1.dsc
horde3_3.0.4-4sarge1_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 21:33:40 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge1
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 332276 332289 332290
Changes: 
 horde3 (3.0.4-4sarge1) stable-security; urgency=high
 .
   * Horde3 disabled by default as the administration/install wizard is a
     security hole, closes: #332290, #332289.
     CVE-2005-3344
   * Removed some crap from the README.Debian file and documented that
     horde3 is now disabled by default, closes: #332276.
Files: 
 cc9b46f4b5a4f4a514ecbc51d9eb3a58 627 web optional horde3_3.0.4-4sarge1.dsc
 b0e7fb95efe86aeb42cfd0b478dd312b 6751 web optional horde3_3.0.4-4sarge1.diff.gz
 671d10d028345c0cfc133cc0504a2d50 3432038 web optional horde3_3.0.4-4sarge1_all.deb
 e2221d409ba1c8841ce4ecee981d7b61 3378143 web optional horde3_3.0.4.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbw3cW5ql+IAeqTIRAhtGAKCt1+ooh6nhSISehEuaESv2ug/PKwCfYyib
pflIHuaZYuu7sy1XX7fXGZM=
=yUvi
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 02:15:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:40:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.