Security issues, Remote Command Execution Vulnerability #1011
Comments
Is this a vulnerability we need to worry about?
*Branden Wagner*
PureIntellect.Com
branden@pureintellect.com
<http://www.pureintellect.com/>
…On Tue, Jul 25, 2017 at 2:41 AM, 王一航 ***@***.***> wrote:
Hacker can get demo.codiad.com server privileges by the vulnerability, I
have send you an email about that, but did not receive a reply. more
details , please contact my mailbox
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1011>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAS3gKbgmeXOzlBUo7Hr73XHCxpO6wqeks5sRY38gaJpZM4OiIDp>
.
|
Just wrote to your email. |
The detail has send to your email, if you have any questions , then let's talk by telegram, :D |
looks like that our email is dead... |
And thanks to @WangYihang for reporting this. |
Anyhow, the demo project needs also to be updated :) |
Yes, I was thinking on patching the file. Do you know how to update the whole code in a semi automated way?
What is the current version? Demo is 2.6.0, right?
Thanks
|
By the way, I tested the online Codiad application for third-party
applications yesterday,
and they all have this problem,
and I think we should inform them of this vulnerability as soon as
possible.
Here's a url I tested bitnami's online Codiad application :
https://bitnami.com/stack/codiad
and so on...
|
Definitely. I'll try to report the CVE and prepare an email template for sending to them. Sadly tonight the soonest. Could someone do it sooner?
|
In my option , update the php application in php in dangerous
because you must give the privileges of write file on the server
if attacker knows that , they may be able to write any code on the server
and then control the server
I suggest that we can write an simple shell script to do the simple update
work
instead of auto update
The version on Bitnami is 2.8.1-0
[image: 内嵌图片 2]
2017-07-26 15:15 GMT+08:00 王一航 <wangyihanger@gmail.com>:
… By the way, I tested the online Codiad application for third-party
applications yesterday,
and they all have this problem,
and I think we should inform them of this vulnerability as soon as
possible.
Here's a url I tested bitnami's online Codiad application :
https://bitnami.com/stack/codiad
and so on...
|
I was thinking in patching manually to start with.
|
OK, the demo server is patched. I have applied for the CVE; if it gets accepted, I will post it here. |
Ok , I see , Thank you very much!
I use google to find them, but I only test Codiad on Bitnami
Here is the list :
https://bitnami.com/stack/codiad
https://engisphere.net/codiad/
http://www.softaculous.com/softaculous/demos/Codiad (redirected to
demo.codiad.com)
https://www.fastcomet.com/codiad-demo
https://www.1and1.co.uk/cloud-app-centre/codiad-download#apps
https://www.webhostface.com/codiad-hosting/
Just now I test demo.codiad.com , the patch works well, I cannot enter the
server any more , Good!
2017-07-27 5:59 GMT+08:00 Javi <notifications@github.com>:
… OK, the demo server is patched. I have applied for the CVE; if it gets
accepted, I will post it here.
I will write to the bitnami people. If you know of other companies using
codiad, please write them or send me their contact emails.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1011 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AQIkhH1zA5H-bhonNkO0u9Kt4maW42vZks5sR7aqgaJpZM4OiIDp>
.
|
Hi, bitnami developer here. Thanks for posting the info. We are working on release a new Codiad version 2.8.4 today and we will publish a blog post as soon you have a CVE assigned. |
fine, thank you very much😊
|
The version 2.8.4 is already published in Bitnami. |
Hello, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11366 |
cool ! Thank you very much 😘
2017-08-24 1:55 GMT+08:00 Javi <notifications@github.com>:
… Hello,
we have finally received a CVE for this.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11366
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1011 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AQIkhONeKTr27Nu_K84CS7HTJtEHDv4zks5sbGdzgaJpZM4OiIDp>
.
|
Hacker can get demo.codiad.com server privileges by the vulnerability, I have send you an email about that, but did not receive a reply. more details , please contact my mailbox
The text was updated successfully, but these errors were encountered: