Archive for April, 2011

About some eyeOS security issues

Thursday, April 7th, 2011

Yesterday two security bugs regarding eyeOS 2.3 and 2.2 versions were published in some software security websites. The first one was about a local file inclusion vulnerability in eyeOS 2.3 and the other one with a non-persistent cross-site scripting .

About this topic, we would like to explain this issue is not related to eyeOS itself, but affects one of the open source core components of eyeOS, which is an independent project (qooxdoo). Qooxdoo is the framework that we use internally to develop user interfaces with javascript. This framework has a “source” directory that is available in the SVN for debugging reasons. However, in the last 2 versions of eyeOS this “source” qooxdoo package was not deleted from the release packages.

The independent software auditor noticed a security bug in qooxdoo, not in eyeOS itself, but because eyeOS includes this qooxdoo “source” directory, it has been said that there is a security bug in eyeOS. There is no security bug in the eyeOS code at all, eyeOS is developed with security in mind and we are really proud of the high standards of security we have achieved.

However, because qooxdoo “source” package was included in the last two releases of eyeOS 2.2 and 2.3, everyone using this versions should consider removing the “devtools” directory in the eyeOS root (beside index.php and settings.php). Removing this directory is completly safe, since it is not used at all, and was here only for debugging pruposes in the development versions, and mistakenly released with the packages.

Aditionally, the advisory states that there is a local file inclusion vulnerability in qooxdoo. However this is a mistake by the independent auditor, because the vulnerable code do not use require or include functions at all. It only uses file_get_contents, so the vulnerability doesn’t allow to executed any code, only to read arbitrary files with known full paths and readable by the web server.

eyeOS public servers were never affected because new.my.eyeos.org never used the installation packages of 2.2 or 2.3, just the updaters, that do not include the qooxdoo “source” directory. Your data has never been compromised. Thanks for understanding and please stay tuned to the next eyeOS 2.4 release on monday.

eyeOS Confidential: 2.4 Sneak Peak (V) – Web integration

Tuesday, April 5th, 2011

Another new feature for eyeOS 2.4 is the possibility to integrate websites inside eyeOS. Now it’s possible to access to this websites from the desktop. If you were an eyeOS 1.X user maybe you know the eyeIframizer: this feature has the same abilities. Take a look at this video! And.. stay tuned!