At the PHP|Tek conference, one of the speakers kindly revealed a
security issue with current versions of Habari. In order to leverage
this vulnerability, several things need to be true:
* an attacker needs to know your database username and password
* an attacker needs to know your database name
* you need to have the Habari source files online and publicly accessible
* you need to have no config.php file
If those four things are true, the attacker can use the db_prefix
field of the Habari installer to execute arbitrary SQL code.
This may seem esoteric, and of small consequence, but the Habari team
prides itself on taking security seriously. We would hate for any
users to experience any problems as a result of a vulnerability in our
code, no matter how much of an outlier we might think an attack is.
We believe that the following code will fix the problem:
isset( $_POST['table_prefix'] ) && (preg_replace('%[^a-zA-Z_]%', '',
$_POST['table_prefix']) == $_POST['table_prefix'])
This will restrict the db_prefix variable to only permitting
alphanumeric characters in the English alphabet. It goes on line 92 of
databasehandler.php, inside the "if" if you want to patch your copy
yourself.
That fix will be added to the databasehandler.php file, and we'll
prepare for a Habari 0.6.2 release. Our release guidelines state that
we wait 48 hours after fixing a bug before releasing, to make sure
folks in different time zones have an opportunity to review and test
the proposed fix(es). If no new problems are introduced as a result of
this fix, 0.6.2 will be packaged and released on Friday, May 22.
Please note that this is a TEMPORARY fix. 0.7 will include a more
robust fix that will be unicode-safe. Users who need unicode
characters in their db_prefix with 0.6.2 and below can manually insert
them into the config.php file.
People who have not yet installed Habari should feel confident doing
so, even with the 0.6.1 release. Please make sure that you perform the
installation process immediately after transferring the files to your
web host. Also note that you can prepare a config.php file manually
before you upload the Habari files to your host:
http://wiki.habariproject.org/en/Installation#Predefined_Configuration
The Habari team would like to thank Sebastian Bergmann for identifying
this flaw.
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at http://groups.google.com/group/habari-dev
-~----------~----~----~----~------~----~------~--~---
