Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES

[Jason Wies]

The VFS patch isn't correct.  It's ok to have the files directory inside the
webroot as long as the admin is aware of the security problems and disables
scripts in the files directory.  Common examples are web hosting, content
management, and sharing files outside the company.  The attached patches:

- Set the default files path to be outside the webroot
- On the setup page, advise against using a files directory inside the webroot
- Link from the setup page to a document describing the security
recommendations for the location of the files directory.  The document
includes examples of proper Apache configuration when the files directory is
inside the webroot.

To apply:
cd phpgroupware-version
patch -p1 <../patch-version.diff
cvs remove filemanager/doc/INSTALL
cvs add phpgwapi/doc/vfs/INSTALL

Jason Wies

On Thu, Jul 03, 2003 at 06:15:32PM +1000, Dave Hall wrote:
> Hi all,
> 
> Please be aware there is minor security advisory for phpgw.  See
> http://www.security-corporation.com/articles-20030702-005.html for more
> info.
> 
> There is also a vfs security patch also.  This prevents the vfs path
> being in the document root, which has been exploited in other php based
> groupware suites.
> 
> We have fixed this in cvs for all branches (14, 16preRC and HEAD).  This
> affects all previous versions of phpgroupare.  We will be releasing
> packaged releases in about 12hours.
> 
> Cheers
> 
> Dave

patch-head.diff
Description: Text document

patch-0.9.16.diff
Description: Text document

patch-0.9.14.diff
Description: Text document