Known Security Risks (0.6.1)

The first release of FOSSology has not been through a thorough security audit and is not recommended for general-purpose wide-spread use.

The known security risks are as follows:

• Ununpack. The UNiversal Unpacker (ununpack) is used to extract files from archives. This program relies on tools such as “ar” and “unzip” to extract contents. If any of these tools are vulnerable to “../” traversal or other exploits from hostile files, then the user “fossy” may be compromised. In general, the UI may be extrernally accessible, but generic file submission from unknown users should be discouraged.
• PHP and DB. Parameters from the URL are used to access the database. While effort has been made to taint and protect the database, it could be possible to poison the system through a malicious URL. Until the audit is completed, this should be treated as a risk. Consider using an .htaccess file to remove all URLs that contain quotes, pipes, and other shell-like characters.
• File contents. The entire contents of the unpacked file are visible to all users. If a file is a disk image and contains an /etc/passwd or /etc/shadow file, then the contents of the password files can be viewed by all.
• File distribution. All uploaded files can be downloaded using the download link. While not a technical limitation, if the licenses specifies distribution restrictions, then this could be considered distribution. Consult your attorney before enabling file downloads.

To mitigate the risks, we have taken the following precautions and recommend the following steps:

• All agents run as user fossy in group fossy. Any exploit will be limited to the range of the fossy user.
• Uploads should be limited to trusted users and not just anyone with web access.
• Use a .htaccess to restrict logins and filter out harmful URLs. For example, this set of .htaccess rules uses mod_rewrite to block malicious URLs containing quotes (used for many SQL-injection attacks):

RewriteEngine On
RewriteCond %{REQUEST_URI} .*('|"|`|%22|%27|%60|").* [OR]
RewriteCond %{REQUEST_URI} .*(/\.\./).*
RewriteRule ^.*$ - [F]

• Sensitive data submissions should be limited to internal server instances.
• Discuss with your legal council the implications of distributing software via this system.

Should you come across any known or potential security risks, please contact security@fossology.org. Be sure to provide enough information so that we can reproduce and validate the risk. We take security very seriously. However, there are not many of us so it may take a few days for us to respond (especially on weekends and holidays). Thank you for your understanding and reporting efforts.