From stanislav.ievlev at gmail.com Mon Jan 18 13:28:27 2010 From: stanislav.ievlev at gmail.com (Stanislav Ievlev) Date: Mon, 18 Jan 2010 15:28:27 +0300 Subject: [Devel] Ulteo security problems Message-ID: Greetings! Session manager has "server_status" web service to update status of machines in the pool. This web service doesn't perform any authentication for client if request's fqdn parameter was already registered in internal database. As a result anyone can mark any server from Ulteo's spool as a turned off by sending an appropriate request to this web service. -- With best regards Stanislav Ievlev. From laurent at ulteo.com Mon Jan 18 14:00:56 2010 From: laurent at ulteo.com (Laurent Clouet) Date: Mon, 18 Jan 2010 14:00:56 +0100 Subject: [Devel] Ulteo security problems In-Reply-To: References: Message-ID: <4B545B88.7010702@ulteo.com> Hello You're right. Here the patch to fix it (http://mailman.ulteo.com/pipermail/ovd-commits/2010-January/002443.html): --- Index: webservices/server_status.php =================================================================== --- webservices/server_status.php (r?vision 2445) +++ webservices/server_status.php (copie de travail) @@ -78,8 +78,13 @@ Logger::error('main', '(webservices/server_status) Server not OK : \''.$_GET['fqdn'].'\''); die('Server not OK'); } -} else +} else { $buf = Abstract_Server::load($_GET['fqdn']); + if (! $buf->isAuthorized()) { + Logger::error('main', '(webservices/server_status) Server not authorized : \''.$_GET['fqdn'].'\' == \''. at gethostbyname($_GET['fqdn']).'\' ?'); + die('Server not authorized'); + } +} $buf->setStatus($_GET['status']); --- It will be on the next release. I'll check on others webservices if we miss more security check. Thank for the reporting :) Best regards Laurent Clouet Stanislav Ievlev a ?crit : > Greetings! > > Session manager has "server_status" web service to update status of > machines in the pool. This web service doesn't perform any > authentication for client if request's fqdn parameter was already > registered in internal database. > > As a result anyone can mark any server from Ulteo's spool as a turned > off by sending an appropriate request to this web service. > > -- > With best regards > Stanislav Ievlev. > _______________________________________________ > Devel mailing list > Devel at ulteo.com > http://mailman.ulteo.com/cgi-bin/listinfo/devel > > > -- MSN: laurent at ulteo.com IRC: LaurentClouet on irc.freenode.net Skype: laurent_clouet (no audio) EMail: laurent at ulteo.com From stanislav.ievlev at gmail.com Mon Jan 18 17:03:14 2010 From: stanislav.ievlev at gmail.com (Stanislav Ievlev) Date: Mon, 18 Jan 2010 19:03:14 +0300 Subject: [Devel] bashism in script Message-ID: Greetings! You have a bash specific instruction in /etc/xdg/ulteo/xinitrc file. If /bin/sh is equal to /bin/dash then this executable will not work correctly in a portal mode. Please replace [ "$NODESKTOP" == "1" ] with a more correct instruction [ "$NODESKTOP" = "1" ] . -- With best regards Stanislav Ievlev. From stanislav.ievlev at gmail.com Fri Jan 29 17:06:19 2010 From: stanislav.ievlev at gmail.com (Stanislav Ievlev) Date: Fri, 29 Jan 2010 19:06:19 +0300 Subject: [Devel] [patch] localization issues Message-ID: Greetings! There are patches for 2.0 branch to fix some localization problems. 0001-Administration-interface-add-support-for-Russian.patch - add support for Russian language in administration interface. 0002-add-missing-gettext-calls.patch - some messages in Ulteo are still not localized. -- With best regards Stanislav Ievlev -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Administration-interface-add-support-for-Russian.patch Type: application/octet-stream Size: 1889 bytes Desc: not available Url : http://mailman.ulteo.com/pipermail/devel/attachments/20100129/83fb56fd/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-add-missing-gettext-calls.patch Type: application/octet-stream Size: 2486 bytes Desc: not available Url : http://mailman.ulteo.com/pipermail/devel/attachments/20100129/83fb56fd/attachment-0001.obj