[campsite-dev] Reports of security vulnerability in Campsite: Our response
  • Dear Campsite users,
    In
    recent days various reports have appeared on security-oriented websites
    such as vupen.com, securityfocus.com and Spamfighter.com regarding
    Campsite's vulnerability to cross-site scripting attacks.Because we take security very seriously, these reports were alarming to us too.
    However,
    the reports focus on a vulnerability that has been documented for a while now by the PHP development team, and is not in Campsite itself, but is a setting
    for the PHP programming language, not necessarily in Campsite. It is a
    setting in the document php.ini, called register_globals, and our recommendation is that it should
    always be set to 'off.'The Campsite manual explicitly warns users about this:
    http://manual.campware.org/manuals/campsite/3.3/index.php?id 0
    To make this even clearer, as of the next Campsite release (3.3.2), the installation process will warn users about this setting during install, telling them that the recommended value for register_globals is OFF to avoid big security holes.While
    we appreciate having people point out security holes to us (and please keep
    those bug reports coming!), we wish there was a way that the security
    sites would also acknowledge when such vulnerabilities are resolved. Unfortunately,
    there doesn't seem to be such a way right now, except to try to address
    it directly via the Campware site and mailing lists.
    Best regards,The Campsite team