<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in P4DB



Product:        P4DB
URL:            http://www.mydata.se/ftp/P4DB/
Version:        P4DB v2.01 and earlier
Risk:           Multiple vunlerabilities (high)

Description:

P4DB is a CGI based tool that provides a web-based interface to Perforce
source code repositories. It is third-party software, developed by an
individual and unsupported by Perforce. I believe it is in use internally
at a large number of organizations, and installations can also be found
on the public Internet.


The Problem:

P4DB is very bad about validating user input. This leads to a multitude of
vulnerabilities, the most dangerous being unfiltered input passed to shell
commands. This allows for individuals to run arbitrary commands on the 
web server. Additionally, there are cross-site scripting issues throughout
the package.


The Fix:

The original developer of P4DB, Fredric Fredricson, appears to have dropped
off the Internet; he did not respond to inquiries made in late March, 2004.
The most recent release of P4DB was in 2001; he has submitted a multitude of
changes to the package source in the public Perforce repository (as recently
as March, 2004), but the security issues are still present in that code. 

I have contacted Perforce about the problem; they suggest that people migrate
to P4Web, a free package that provides the same functionality, developed and
maintained by Perforce themselves:

  http://www.perforce.com/perforce/products/p4web.html

Failing that, I've made a patch that fixes the security problems I've 
identified. You can download it at:

  http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt

However, given that it is essentially abandoned software, I strongly urge 
you to migrate away from it.

-Jon