Open source software security

MadIrish Webmail PHP Remote File Inclusion Vulnerability

30 November -0001

Ah yes, you know you've arrived when http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3058. Turns out my oldest open source project, MadIrish Webmail (also at http://webmail.madirish.net), suffered from a PHP remote file inclusion vulnerability. Sort of embarrassing since I like to think of myself as a security professional. I'll chalk this one up to old code though and keep on plugging. I was able to respond to the vulnerability report in a fairly timely fashion even though for some reason SourceForge didn't actually send me an email. The official release notes for MadIrish Webmail version 2.01 is as follows:

"This [PHP remote file inclusion] vulnerability, as well as several other unreported SQL injection vulnerabilities, have been fixed in the latest release, version 2.01. All users are encouraged to download and install the latest version (by overwriting their current install with the new code). Unfortunately no patch is available since the codebase changes were so extensive. The data model has not changed though so no data will be lost in the upgrade. Remember to back up your config.php files in order to preserve customizations."

The whole incident reminded me of the value in regular security audits, as well as having a good mechanism for users to submit bugs. I poked around for a little, but didn't find any good open source project management software, which is disappointing. What I'm thinking of would be some sort of website that would serve as the marketing front end to a project, but also allow bug tracking, reporting, news and announcements, as well as a forum for user support. Several open source projects have websites of this nature, but they're cobbled together from various and sundry open source projects rather than presenting a coherent package. It would be nice to have a Drupal style product that would allow you to create a project homepage (although perhaps the Drupal modules exist to put such a site together - I haven't really checked). Another feature that would be nice would be a subscription so users could 'register' and get updates, news, and other information related to the project.

I have to admit that several of these tools actually exist on the SourceForge site, but they're sort of difficult to use. I'm not sure if this reflects my lack of patience with the SourceForge interface or just general ignorance, but I find the site extremely annoying as a project admin. There is a lot of power there but it's difficult to use, completely unajaxy (so there are a LOT of clicks to find anything) and completely undocumented. There isn't really an alternative now so I'll be content just to gripe.