Monday, September 13, 2004

Chora already fixed

Jan reported that Chora is already fixed for three months.


First of all, let me apologize, I didn't want to hurt Horde or anyone else, and if you found my posting confusing, then well, I was confused and not too little...


That weekend my server has been cracked again, and ctorrent has been installed to burn my traffic (from the same network 210.5.125.*).


I doubt that the announcement Jan posted helped much, because how comes that apparently every script-kiddy knew about the vulnaribility but not chora users (at least I didn't know, and I saw a lot of chora 1.2 installations out there).


If I would have found a note on Chora's homepage, I think, I wouldn't have posted such a panic reaction.


So, sorry once again and I hope that this was - at least - a lesson to everyone of us...

Sunday, September 12, 2004

HORDE::Chora major vulnaribility

If you're running Hordes Chora 1.2 you should immediately upgrade your Horde installation or temporarily disable CVS access through HTTP.


Unfiltered $_GET as shell argument
On a quick glance scripts like diff.php seem to use unfiltered $_GET parameters as shell command arguments, which will allow any remote user to execute any command as webserver user.


A request like http://cvs.your.host/... will reveal the process list of the machine.