Product: P4DB URL: http://www.mydata.se/ftp/P4DB/ Version: P4DB v2.01 and earlier Risk: Multiple vunlerabilities (high) Description: P4DB is a CGI based tool that provides a web-based interface to Perforce source code repositories. It is third-party software, developed by an individual and unsupported by Perforce. I believe it is in use internally at a large number of organizations, and installations can also be found on the public Internet. The Problem: P4DB is very bad about validating user input. This leads to a multitude of vulnerabilities, the most dangerous being unfiltered input passed to shell commands. This allows for individuals to run arbitrary commands on the web server. Additionally, there are cross-site scripting issues throughout the package. The Fix: The original developer of P4DB, Fredric Fredricson, appears to have dropped off the Internet; he did not respond to inquiries made in late March, 2004. The most recent release of P4DB was in 2001; he has submitted a multitude of changes to the package source in the public Perforce repository (as recently as March, 2004), but the security issues are still present in that code. I have contacted Perforce about the problem; they suggest that people migrate to P4Web, a free package that provides the same functionality, developed and maintained by Perforce themselves: http://www.perforce.com/perforce/products/p4web.html Failing that, I've made a patch that fixes the security problems I've identified. You can download it at: http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt However, given that it is essentially abandoned software, I strongly urge you to migrate away from it. -Jon
