New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues, Remote Command Execution Vulnerability #1011
Comments
|
Is this a vulnerability we need to worry about?
*Branden Wagner*
PureIntellect.Com
branden@pureintellect.com
<http://www.pureintellect.com/>
…On Tue, Jul 25, 2017 at 2:41 AM, 王一航 ***@***.***> wrote:
Hacker can get demo.codiad.com server privileges by the vulnerability, I
have send you an email about that, but did not receive a reply. more
details , please contact my mailbox
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1011>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAS3gKbgmeXOzlBUo7Hr73XHCxpO6wqeks5sRY38gaJpZM4OiIDp>
.
|
|
Just wrote to your email. |
|
The detail has send to your email, if you have any questions , then let's talk by telegram, :D |
|
looks like that our email is dead... |
|
And thanks to @WangYihang for reporting this. |
|
Anyhow, the demo project needs also to be updated :) |
|
Yes, I was thinking on patching the file. Do you know how to update the whole code in a semi automated way?
What is the current version? Demo is 2.6.0, right?
Thanks
|
|
By the way, I tested the online Codiad application for third-party
applications yesterday,
and they all have this problem,
and I think we should inform them of this vulnerability as soon as
possible.
Here's a url I tested bitnami's online Codiad application :
https://bitnami.com/stack/codiad
and so on...
|
|
Definitely. I'll try to report the CVE and prepare an email template for sending to them. Sadly tonight the soonest. Could someone do it sooner?
|
|
In my option , update the php application in php in dangerous
because you must give the privileges of write file on the server
if attacker knows that , they may be able to write any code on the server
and then control the server
I suggest that we can write an simple shell script to do the simple update
work
instead of auto update
The version on Bitnami is 2.8.1-0
[image: 内嵌图片 2]
2017-07-26 15:15 GMT+08:00 王一航 <wangyihanger@gmail.com>:
… By the way, I tested the online Codiad application for third-party
applications yesterday,
and they all have this problem,
and I think we should inform them of this vulnerability as soon as
possible.
Here's a url I tested bitnami's online Codiad application :
https://bitnami.com/stack/codiad
and so on...
|
|
I was thinking in patching manually to start with.
|
|
OK, the demo server is patched. I have applied for the CVE; if it gets accepted, I will post it here. |
|
Ok , I see , Thank you very much!
I use google to find them, but I only test Codiad on Bitnami
Here is the list :
https://bitnami.com/stack/codiad
https://engisphere.net/codiad/
http://www.softaculous.com/softaculous/demos/Codiad (redirected to
demo.codiad.com)
https://www.fastcomet.com/codiad-demo
https://www.1and1.co.uk/cloud-app-centre/codiad-download#apps
https://www.webhostface.com/codiad-hosting/
Just now I test demo.codiad.com , the patch works well, I cannot enter the
server any more , Good!
2017-07-27 5:59 GMT+08:00 Javi <notifications@github.com>:
… OK, the demo server is patched. I have applied for the CVE; if it gets
accepted, I will post it here.
I will write to the bitnami people. If you know of other companies using
codiad, please write them or send me their contact emails.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1011 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AQIkhH1zA5H-bhonNkO0u9Kt4maW42vZks5sR7aqgaJpZM4OiIDp>
.
|
|
Hi, bitnami developer here. Thanks for posting the info. We are working on release a new Codiad version 2.8.4 today and we will publish a blog post as soon you have a CVE assigned. |
|
fine, thank you very much
|
|
The version 2.8.4 is already published in Bitnami. |
|
Hello, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11366 |
|
cool ! Thank you very much
… Hello,
we have finally received a CVE for this.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11366
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1011 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AQIkhONeKTr27Nu_K84CS7HTJtEHDv4zks5sbGdzgaJpZM4OiIDp>
.
|
Hacker can get demo.codiad.com server privileges by the vulnerability, I have send you an email about that, but did not receive a reply. more details , please contact my mailbox
The text was updated successfully, but these errors were encountered: