Summary | Upgrade Documentation about.php |
Queue | Horde Framework Packages |
Queue Version | FRAMEWORK_3 |
Type | Enhancement |
State | Rejected |
Priority | 3. High |
Owners | |
Requester | info (at) lintecsa (dot) com |
Created | 07/03/2006 (6960 days ago) |
Due | |
Updated | 07/05/2006 (6958 days ago) |
Assigned | |
Resolved | 07/05/2006 (6958 days ago) |
Milestone | |
Patch | No |
"index.php" was changed his name to "about.php". But his content is
the same
horde install, but from a former exploit. They moved the old
vulnarable index.php to about.php, very tricky!
This file is obsolete in horde 3.1.1 - If you do an upgrade from
former versions by just overwriting the directory the file about.php
remains and opens horde to exploits. Version 3.1.1 fixed the remote
code execution vulnerability in the help viewer but if about.php
doesn't get deleted the vulnerability still exists. Therefore I
recommend to mention this risk in docs/UPGRADING or even better: patch
about.php to make it unusable.
State ⇒ Feedback
Priority ⇒ 3. High
Type ⇒ Enhancement
Summary ⇒ Upgrade Documetation about.php
Queue ⇒ Horde Framework Packages
State ⇒ New
wouldn't be deleted or modified. This file is nothing but a dangerous
leftover that has no more need in Horde 3.1.1: I would recommend to
advise in the update notes or overwrite about.php in the updated
version.