Bug 870

Summary: [Chameleon - Core] security audit
Product: Chameleon Reporter: Paul Spencer <pspencer@dmsolutions.ca>
Component: CoreAssignee: Paul Spencer <pspencer@dmsolutions.ca>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: P1    
Version: 1.99   
Target Milestone: 2.0 RC 1   
Hardware: PC   
OS: Linux   
Whiteboard:

Description From 2004-11-24 15:53:36 
Need to audit all chameleon code for security.
------- Comment #1 From 2004-11-24 15:54:20 ------- 
should be done for RC1.
------- Comment #2 From 2004-11-24 15:58:18 ------- 
initial thoughts:

* anything that allows a user to upload to the server:
- UploadContext
- UploadSLD

* anything that allows a user to download from the server:
- all Download widgets, Extract widgets, PrintManager

* cwc2

* any attributes that can refer to remote files

* any code that calls exec, passthru, system etc

* any reference to a local or remote file

* review/google for known php vulnerabilities

* session code including session fixation
------- Comment #3 From 2004-11-24 18:21:47 ------- 
Please no more details about security issues in this bugzilla or public mailing
lists.
------- Comment #4 From 2004-12-20 14:03:09 ------- 
this is being tracked internally now.