[long mail ahead - for PHP coders only] Hi, as you know, the bug tracker is currently disabled for security reasons. I like Flyspray way better than any other bug tracker I know of and personally would love to continue using it. Unfortunately nobody could clearly locate the problem, yet. I know that there are quite a few good PHP coders here, so I'm asking you to help out by doing a code audit of Flyspray. Let me start with what I know... On Friday I was informed by the project lead of ArchLinux that someone had broken into their server exploiting some unknown problem in Flyspray. He knew we're running Flyspray as well, so he let me know before we could be hit as well. Unfortunately very few traces were left behind by the attacker. The attacker was able to place files on the server and execute them. The ArchLinux guys became aware of it because there was a notification sent out for a new task named FS#15997: <{${eval($_REQUEST[xxx])}{exit}}> This seems to be an attempt to inject malicious PHP code through Flyspray's templating system. If it would have worked, the script should have stopped before sending the notification (because of the exit call), so we assume the task name above is actually a failed attempt, shortly before the successful breach. I also tried to create a tasks like that, which works but isn't executed or anything - exactly as one should expect. Based on this initial int, I had a very deep look at how Flyspray's template parser works. There is an eval at the very end that looks very scary but in fact seems not to be a problem at all. At least I couldn't find any way to exploit that. The parser simply splits a template into several chunks (in PHP code blocks and text blocks). In the text blocks all template syntax is replaced by equivalent PHP codes (echos and some escaping basically). No value replacement is done inside the parser, so I see no way how user input can leak out of variables and be parsed (but that would be needed to make the above mentioned task subject be dangerous). It might be that I overlooked something in the template parser, but it could also be that the breach happens in some completely different place. From the ArchLinux access logs we assume that the breach happens with an authenticated user (there is a call to login first), somewhen during the newtask action. I talked to the ArchLinux server admin and one of the Flyspray developers. So far we have no idea where the problem is. I also looked for any 0day exploits at the usual places on the net but didn't see anything mentioned. So we know there is a problem in Flyspray, but we don't know where. If you want to help the Flyspray devs, the ArchLinux guys (who are looking for alternatives without luck so far) and last but not least, the DokuWiki community: please have a look at the Flyspray code (Release 0.9.9.6) and try to break it. Hopefully we can solve this together. Andi -- splitbrain.org -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist