P4DB is a CGI based tool that provides a web-based interface to Perforce
source code repositories. It is third-party software, developed by an
individual and unsupported by Perforce. I believe it is in use internally
at a large number of organizations, and installations can also be found
on the public Internet.
The Problem:
P4DB is very bad about validating user input. This leads to a multitude of
vulnerabilities, the most dangerous being unfiltered input passed to shell
commands. This allows for individuals to run arbitrary commands on the
web server. Additionally, there are cross-site scripting issues throughout
the package.
The Fix:
The original developer of P4DB, Fredric Fredricson, appears to have dropped
off the Internet; he did not respond to inquiries made in late March, 2004.
The most recent release of P4DB was in 2001; he has submitted a multitude of
changes to the package source in the public Perforce repository (as recently
as March, 2004), but the security issues are still present in that code.
I have contacted Perforce about the problem; they suggest that people migrate
to P4Web, a free package that provides the same functionality, developed and
maintained by Perforce themselves:
Product: P4DB
URL: http://www.mydata.se/ftp/P4DB/
Version: P4DB v2.01 and earlier
Risk: Multiple vunlerabilities (high)
Description:
P4DB is a CGI based tool that provides a web-based interface to Perforce
source code repositories. It is third-party software, developed by an
individual and unsupported by Perforce. I believe it is in use internally
at a large number of organizations, and installations can also be found
on the public Internet.
The Problem:
P4DB is very bad about validating user input. This leads to a multitude of
vulnerabilities, the most dangerous being unfiltered input passed to shell
commands. This allows for individuals to run arbitrary commands on the
web server. Additionally, there are cross-site scripting issues throughout
the package.
The Fix:
The original developer of P4DB, Fredric Fredricson, appears to have dropped
off the Internet; he did not respond to inquiries made in late March, 2004.
The most recent release of P4DB was in 2001; he has submitted a multitude of
changes to the package source in the public Perforce repository (as recently
as March, 2004), but the security issues are still present in that code.
I have contacted Perforce about the problem; they suggest that people migrate
to P4Web, a free package that provides the same functionality, developed and
maintained by Perforce themselves:
http://www.perforce.com/perforce/products/p4web.html
Failing that, I've made a patch that fixes the security problems I've
identified. You can download it at:
http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt
However, given that it is essentially abandoned software, I strongly urge
you to migrate away from it.
-Jon
[ reply ]