Phillip Pearson - Second p0st

tech notes and web hackery from the guy that brought you bzero, python community server, the blogging ecosystem, the new zealand coffee review and the internet topic exchange

2007-11-12

PeopleAggregator security advisory for CVE-2007-5631

A security vulnerability was recently discovered for PeopleAggregator and given the NIST ID CVE-2007-5631.

It's quite serious, allowing code injection, however is only a problem if you are running PA on a server with PHP's register_globals directive turned on. This directive is turned OFF on all Broadband Mechanics servers, so if you are hosting with us, you aren't in any danger. It's also off by default on most modern Linux distributions, so generally if you're running PHP5 you're probably OK.

I've seen shared hosts with it turned on, though, so it's quite possible that there are some exploitable PA installs out there. PeopleAggregator throws up a big red-lettered warning if you attempt to install with register_globals on, but will continue to run if you ignore the warning, and the exploit will still work if you upload but don't configure it, so if you hit the warning then go away but don't delete it from your server, you're still vulnerable.

So, if you're running PA on a host which has register_globals turned on (or you don't know that it's definitely turned off), please upgrade to v1.2pre6+1, the security fix for v1.2pre6. v1.2pre7, which also includes the fixes, plus some extra hardening, will be coming out soon, but please don't wait :)

As always, the code is available at update.peopleaggregator.org.

Vulnerable versions are v1.2pre6-release-53 and anything earlier, and the fixed version is v1.2pre6-release-55.

Postscript: No thanks to the discoverer of this vulnerability, who went ahead and posted it publicly without informing us.

... more like this: []