Summary: | [Chameleon - Core] security audit | ||
---|---|---|---|
Product: | Chameleon | Reporter: | Paul Spencer <pspencer@dmsolutions.ca> |
Component: | Core | Assignee: | Paul Spencer <pspencer@dmsolutions.ca> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | ||
Priority: | P1 | ||
Version: | 1.99 | ||
Target Milestone: | 2.0 RC 1 | ||
Hardware: | PC | ||
OS: | Linux | ||
Whiteboard: |
should be done for RC1.
initial thoughts: * anything that allows a user to upload to the server: - UploadContext - UploadSLD * anything that allows a user to download from the server: - all Download widgets, Extract widgets, PrintManager * cwc2 * any attributes that can refer to remote files * any code that calls exec, passthru, system etc * any reference to a local or remote file * review/google for known php vulnerabilities * session code including session fixation
Please no more details about security issues in this bugzilla or public mailing lists.
this is being tracked internally now.