Bug 870 – [Chameleon - Core] security audit

Bug 870 - [Chameleon - Core] security audit

Summary:

[Chameleon - Core] security audit

Status:	RESOLVED WONTFIX

Product:	Chameleon
Component:	Core
Version:	1.99
Platform:	PC Linux

Importance:	P1 normal
Target Milestone:	2.0 RC 1
Assigned To:	Paul Spencer

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2004-11-24 15:53 by Paul Spencer
Modified:	2004-12-20 14:03 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Paul Spencer 2004-11-24 15:53:36

Need to audit all chameleon code for security.

------- Comment #1 From Paul Spencer 2004-11-24 15:54:20 -------

should be done for RC1.

------- Comment #2 From Paul Spencer 2004-11-24 15:58:18 -------

initial thoughts:

* anything that allows a user to upload to the server:
- UploadContext
- UploadSLD

* anything that allows a user to download from the server:
- all Download widgets, Extract widgets, PrintManager

* cwc2

* any attributes that can refer to remote files

* any code that calls exec, passthru, system etc

* any reference to a local or remote file

* review/google for known php vulnerabilities

* session code including session fixation

------- Comment #3 From Daniel Morissette 2004-11-24 18:21:47 -------

Please no more details about security issues in this bugzilla or public mailing
lists.

------- Comment #4 From Paul Spencer 2004-12-20 14:03:09 -------

this is being tracked internally now.