Package: horde3 Version: 3.0.5-1 Severity: critical Tags: security Justification: root security hole
As part of the installation procedure in README.Debian, you are told to configure horde3 via a web interface. This is done using an Administrator account which requires no password. In the time that the application is in this state, anyone who goes to the website is automatically logged in as Administrator with no password. The Administrative account is granted access to 3 tools that look extremely dangerous: cmdshell.php sqlshell.php and phpshell.php. I didn't determine what phpshell.php does. However when i used the cmdshell.php I was able to execute arbitrary commands as the www-user. For instance I was able to successfully execute "cat /etc/passwd". This is horribly unacceptable. I would recommend that cmdshell.php and sqlshell.php be removed. They are a much bigger security hole than they are worth. I don't know what phpshell.php does, but I wouldn't be suprised if it were in this same category. I also would recommend that a password be required do use the Administration interface. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages horde3 depends on: ii apache [httpd] 1.3.33-7 versatile, high-performance HTTP s ii libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti ii php4 4:4.3.10-15 server-side, HTML-embedded scripti ii php4-cli [phpapi-20020918] 4:4.3.10-15 command-line interpreter for the p ii php4-domxml 4:4.3.10-15 XMLv2 module for php4 ii php4-pear 4:4.3.10-15 PEAR - PHP Extension and Applicati ii php4-pear-log 1.6.0-1.1 Log module for PEAR Versions of packages horde3 recommends: ii logrotate 3.7.1-2 Log rotation utility pn php-date <none> (no description available) pn php-file <none> (no description available) pn php-mail-mime <none> (no description available) pn php-services-weather <none> (no description available) pn php4-gd | php4-gd2 <none> (no description available) pn php4-mcrypt <none> (no description available) pn php4-mysql | php4-pgsql | php <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]