| ../irclogs/#mantishelp.2010-01-05.log | ||
| --- scribe started --- | 00:00 | |
| CIA-27 | Mantisbt: hickseydr * r45771c634045 /bug_file_add.php: Fix #11326: Don't show form security token error for oversized uploads | 08:46 |
|---|---|---|
| CIA-27 | Mantisbt: hickseydr master-1.2.x * r67762d7e93d7 /bug_file_add.php: Fix #11326: Don't show form security token error for oversized uploads | 08:46 |
| CIA-27 | Mantisbt: hickseydr * rb50a52a4963c / (3 files in 2 dirs): Issue #11291: Add X-Sendfile support for high performance file downloads | 08:46 |
| paul_____ | yay for more config entries :) | 09:01 |
| dhx_m | more and more :) | 09:14 |
| dhx_m | btw what web server do you run? | 09:14 |
| dhx_m | I'd love to get some feedback on X-Sendfile :) | 09:14 |
| dhx_m | I've only tested with Lighttpd 1.4.x so far | 09:14 |
| dhx_m | also are large attachments working OK for you (when stored on the disk)? | 09:15 |
| dhx_m | I think a lot of people may be confused with the VERY buggy attachment handling pre-RC2 | 09:16 |
| dhx_m | and even post-RC2 | 09:16 |
| dhx_m | a lot of things have been fixed since then | 09:16 |
| dhx_m | doh those should be global options | 09:21 |
| dhx_m | oh _file covers it :) | 09:22 |
| dhx_m | maybe | 09:22 |
| dhx_m | grrr | 10:30 |
| dhx_m | why does the order of $g_global_settings matter so much... when I reorder it I get Fatal error: Call to undefined function auth_is_user_authenticated() in /var/www/localhost/htdocs/mantis-git/core/config_api.php on line 84 | 10:30 |
| dhx_m | oh config_api depends upon auth_api | 10:38 |
| dhx_m | and at that point, auth_api hasn't been loaded yet | 10:38 |
| dhx_m | paul_____: what exactly was the reasoning for removing the require_once() calls from the head of each API file? | 10:38 |
| dhx_m | paul_____: oops my bad, all you did was remove absolute paths :) | 10:39 |
| paul_____ | dhx_m: IIS | 11:21 |
| dhx_m | I'm not so sure I like requiring everything in core.php | 11:21 |
| dhx_m | rather than placing those calls in the individual files using each API | 11:22 |
| paul_____ | well | 11:22 |
| paul_____ | as we implement classes, should be less of an issue | 11:22 |
| dhx_m | yep | 11:22 |
| paul_____ | atm, having it in core api is fine | 11:22 |
| paul_____ | (as most of our apis are so interlinked) | 11:23 |
| dhx_m | do we have an up-to-date doxygen site? | 11:23 |
| paul_____ | of source code? | 11:23 |
| dhx_m | well it'd be nice if we had a way to keep track of coupling between different APIs | 11:23 |
| paul_____ | that's easy | 11:23 |
| paul_____ | draw a grid of each api | 11:23 |
| paul_____ | erm | 11:24 |
| paul_____ | sorry, draw a box containing each api file | 11:24 |
| paul_____ | draw a line between each box | 11:24 |
| dhx_m | automatically? :p | 11:24 |
| dhx_m | and not assuming that every box is connected maximally to every other box :p | 11:24 |
| paul_____ | anyway, atm we have too much coupling | 11:28 |
| dhx_m | it's hard not to though | 11:29 |
| dhx_m | everything uses config_api, user_api and the other common things | 11:29 |
| dhx_m | even though you may want to be using user_api separately without any notion of config_api | 11:29 |
| dhx_m | I guess it can be worked out by constructors passing in most of the options, or whatever | 11:32 |
| paul_____ | in terms of the config commit for thingie | 11:35 |
| paul_____ | erm | 11:35 |
| paul_____ | x-sendfile | 11:35 |
| paul_____ | tbh, i'd probably have rather seen a turn on/off switch | 11:35 |
| paul_____ | and us to add supported webservers based on SERVER API | 11:36 |
| paul_____ | (or if it's functionality enabled by default (in lighttpd), just use it | 11:36 |
| dhx_m | it often requires a user to configure their web server to specify which directories can use X-Sendfile | 11:38 |
| dhx_m | I was thinking of the approach you mentioned | 11:38 |
| dhx_m | but thought it was a little complex at the moment for what we'd be using it for | 11:38 |
| mantisbt_96789 | test | 12:51 |
| setuid | ut oh | 12:55 |
| setuid | 67.78.13.254 bugs.gnu-designs.com - - [05/Jan/2010:05:53:42 -0500] "GET /manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0" 200 3649 "-" "-" | 12:55 |
| setuid | Rooted using a hole in Mantis twice in 2 weeks | 12:55 |
| setuid | Just found it | 12:56 |
| dhx_m | setuid: please upgrade, it was fixed in v1.1.4 of MantisBT (a long time ago) according to http://secunia.com/advisories/32314/2/ | 12:59 |
| dhx_m | also see http://www.mantisbt.org/bugs/view.php?id=9704 | 13:00 |
| setuid | This is what they ran on our server, using that hole: http://pastebin.com/d670f57d7 | 13:02 |
| dhx_m | you must be using old software everywhere if you got rooted like that | 13:03 |
| setuid | Nope, everything is current... except apparently MAntis | 13:04 |
| dhx_m | ah so they didn't root your server then? | 13:04 |
| setuid | Sure did | 13:04 |
| dhx_m | as in, uid=0 root? | 13:05 |
| setuid | They rooted it last week and again this morning. | 13:05 |
| setuid | Look at the output at that pastebin | 13:05 |
| dhx_m | it doesn't mean that it worked | 13:05 |
| setuid | Odd thing is, www-data has no valid shell (it's /bin/false), and a /var/www/.bash_history was created, containing those commands. | 13:05 |
| dhx_m | most "hacks" will be automatically scripted so it doesn't (and often can't) verify the response of previous commands | 13:05 |
| setuid | They exposed the root mysql password, in the original output... | 13:06 |
| setuid | Yes, I don't "know" if it worked, I'm trying to fiure that out now | 13:06 |
| setuid | But Debian doesn't checksum their files, so I can't verify current checksum against the ones packaged in the original .debs | 13:06 |
| dhx_m | oh yeah, most people don't treat their root mysql password with enough care :( | 13:06 |
| setuid | I have backups and backups of my backups, on a daily and hourly basis, so rolling back any data that may have been modified should be easy, except the OS itself | 13:07 |
| dhx_m | although.... MySQL should be running as mysql:mysql with limited permissions... | 13:07 |
| dhx_m | if I were you, I'd be more concerned about how they managed to get root | 13:07 |
| dhx_m | from a remote PHP execution bug | 13:08 |
| dhx_m | ohhh | 13:08 |
| dhx_m | it looks like you share a common MySQL and server root password? | 13:08 |
| dhx_m | very bad idea if that's the case | 13:09 |
| setuid | Default debian setup, unfortunately, but one I will be fixing | 13:09 |
| dhx_m | Debian does that by default? :o | 13:10 |
| setuid | Back shortly, have to see my daughter at school | 13:10 |
| dhx_m | ok, hope you can sort things out :) | 13:10 |
| paul_____ | that's the in_array bug? | 13:10 |
| dhx_m | multi_sort function... and how it uses create_function() | 13:12 |
| dhx_m | $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['" . $p_key . "'], \$b['" . $p_key . "'] );" ); | 13:12 |
| dhx_m | where $p_key is a user supplied string | 13:12 |
| dhx_m | surely there has to be a better way? | 13:12 |
| paul_____ | dunno, the fixed version is safe though I believe | 13:13 |
| dhx_m | it checks the user supplied input to see if $p_key already exists | 13:13 |
| dhx_m | still, the function is absolutely horrible from my POV | 13:14 |
| dhx_m | it assumes that the existing keys are safe and haven't been tampered with | 13:15 |
| dhx_m | so it becomes possible for someone to go from a relatively "meh" SQL injection attack | 13:15 |
| dhx_m | to remote PHP code execution (quite a lot more severe) | 13:15 |
| paul_____ | iirc, we fixed that | 13:16 |
| dhx_m | just inject bad project names | 13:16 |
| paul_____ | to check | 13:16 |
| dhx_m | oh well I'm off for now, cya later :) | 13:19 |
| setuid | Ok, anyone about? | 14:11 |
| setuid | I'm back... and trying to figure this out. | 14:11 |
| setuid | www-data, without a valid shell, was exploited through Mantis, to gain root and run commands | 14:12 |
| setuid | The question really is... was their attempt successful? | 14:12 |
| paul_____ | setuid: what version of mantis was you actually on? | 15:26 |
| setuid | I upgraded it, is there a way to check? I have backups. | 15:34 |
| paul_____ | constant_inc.php | 15:36 |
| paul_____ | but tbh, for someone to get root | 15:38 |
| paul_____ | from a php script | 15:38 |
| paul_____ | you'd need some other insecurity/misconfiguration | 15:38 |
| paul_____ | i'd have thought | 15:38 |
| paul_____ | i.e. if you can run commands as 'www-data', you can run an app, delete files owned by www-data etc, but unless you can view/run some root exploit, your not going to 'get root privs' | 15:39 |
| paul_____ | for example,if you allow anyone to su root without a password for example | 15:40 |
| TTimo | hello | 15:53 |
| TTimo | we are using a fairly outdated release of mantis, and I am looking at the feature set in the latest release digging for some features that we might want to use | 15:55 |
| TTimo | most notably, we would like to be able to establish timelines, that is give either a duration or a deadline (e.g. fixed date) to a task, and be able to map that out onto a calendar using the dependencies hierarchy | 15:56 |
| TTimo | is that something mantis can do, or do you know addons or even unrelated software that can ? | 15:57 |
| setuid | paul_____, I don't see any verison info in core/constant_inc.php | 15:59 |
| TTimo | anyone | 16:09 |
| TTimo | I suppose that hitting the DB schema myself I could feed that to a third party tool | 16:44 |
| kirillka | paul_____: around? | 17:14 |
| TTimo | another thing, can I easily do something like 'go through bugs flagged as immediate for a list of developers, and email a reminder if they haven't been updated in more than 2 business days' | 17:21 |
| kirillka | TTimo: whats verson? | 17:25 |
| kirillka | version* | 17:25 |
| TTimo | well some old 1.0 atm, but thats fine I just need to understand how feasible that is, we can migrate up | 17:25 |
| kirillka | paul_____: I think need create captcha for send post... Too more spam in forum, and I can delete this | 17:25 |
| kirillka | For 1.x.x see plugin reminder | 17:26 |
| TTimo | is there a list of plugins | 17:26 |
| TTimo | I was looking for that | 17:26 |
| kirillka | http://deboutv.free.fr/mantis/ | 17:26 |
| kirillka | http://deboutv.free.fr/mantis/plugin.php?plugin=Reminder | 17:26 |
| TTimo | interesting .. is there anything to manage implementation timelines / milestones / gantt charts in there ? | 17:27 |
| TTimo | why is there no plugin list on the main site, does this one gather all there is | 17:38 |
| g0rd0n | is it possible to merge two users in mantis? | 18:11 |
| moto-moi | g0rd0n: Not with mantis self, but with the right queries it would be possible | 18:15 |
| g0rd0n | :( | 19:06 |
| setuid | anyone about? | 20:12 |
| setuid | I'm developing a query to purge users who have a.) created an account, b.) logged in at least once, and c.) never created a bug or bugnote | 20:15 |
| setuid | Looks like this: DELETE FROM u USING mantis_user_table u LEFT JOIN mantis_bug_table b ON u.id = b.reporter_id LEFT JOIN mantis_bugnote_table c on u.id = c.reporter_id WHERE b.reporter_id IS NULL AND c.reporter_id IS NULL AND u.last_visit LIKE '%2009%'; | 20:15 |
| * paul_____ sighs | 23:06 | |
| paul_____ | reinstalling windows takes ages | 23:06 |
Generated by irclog2html.py