Back to list
Multiple vulnerabilities in P4DB
May 05 2004 07:32PM
Jon McClintock (jammer weak org)
Version: P4DB v2.01 and earlier
Risk: Multiple vunlerabilities (high)
P4DB is a CGI based tool that provides a web-based interface to Perforce
source code repositories. It is third-party software, developed by an
individual and unsupported by Perforce. I believe it is in use internally
at a large number of organizations, and installations can also be found
on the public Internet.
P4DB is very bad about validating user input. This leads to a multitude of
vulnerabilities, the most dangerous being unfiltered input passed to shell
commands. This allows for individuals to run arbitrary commands on the
web server. Additionally, there are cross-site scripting issues throughout
The original developer of P4DB, Fredric Fredricson, appears to have dropped
off the Internet; he did not respond to inquiries made in late March, 2004.
The most recent release of P4DB was in 2001; he has submitted a multitude of
changes to the package source in the public Perforce repository (as recently
as March, 2004), but the security issues are still present in that code.
I have contacted Perforce about the problem; they suggest that people migrate
to P4Web, a free package that provides the same functionality, developed and
maintained by Perforce themselves:
Failing that, I've made a patch that fixes the security problems I've
identified. You can download it at:
However, given that it is essentially abandoned software, I strongly urge
you to migrate away from it.
[ reply ]
Copyright 2010, SecurityFocus