slidePresenter

As of this writing a new version of slidePresenter has been released which addresses security concerns mentioned in the July 4, 2007 security alert.  slidePresenter-0.40-beta-2 includes significant changes, specifically the addition of the SLP_SECURITY setting, which accepts values “MoreCautious” and “MoreConvenient”.  “MoreCautious” mode requires the use of command-line scripts for adding and removing slides and presentations, whereas in “MoreConvenient” mode these features are available directly from the Web interface.

As with slidePresesenter-0.40-beta, this release does not provide tools to upgrade from previous versions.  These tools will be made available in the stable release of slidePresenter-0.40.  Subscribers to the slides-announce list will be notified when that version has been released.

In my last post I mentioned that I expected to have a patched release of the slidePresenter-0.30 branch by end of day today. However, the situation turns out to be a little more complex than I thought. I am now hoping to have a stable release of the 0.40 branch to release tomorrow (July 5, 2007).

In case you’re curious, here is a little more detail:

The nature of the problem lies in the fact that the “data” directory is expected to be writable by the web server, and to be located under the web server’s document root. In a shared hosting environment, this is a significant security hole.* *
The simplest fix would involve one of two changes, neither of which happen to be appropriate for slidePresenter: either turning off write privileges to this directory for the web server (which would completely prevent you from moving from one slide to the next, among other things), or move this directory out of the document root (which would prevent the slide images from being displayed). The alternative option, the one I want to implement, is to separate the data directory into two parts: one located above the server’s document root, for the data files that keep track of each presentation’s properties (name, description, current slide, etc.); and another, within the document root for the slide images themselves.

On a new installation, it’s not important that the structure of the data directory has changed since the last release. But for people who are upgrading an existing installation, it matters a great deal. If these users are going to be able to keep their existing presentations through the upgrade, slidePresenter will need to provide a way for them to reorganize their presentation data into the new structure.

It just so happens that this issue of upgrading to a new data structure is the one issue that remained undone in slidePresenter-0.40 when the beta version was released. This means that if I am going to spend the time to write upgrade scripts for a new release of the 0.30 branch, slidePresenter users might be better off if I would instead use that time to write upgrade scripts for the 0.40 branch, then publish a stable release of 0.40, and let users upgrade to that.

Although I would not normally discontinue support for the 0.30 branch until a stable release of the 0.50 branch, it seems in this case to be less work, both for me (avoid coding similar features twice), and for the community (avoid upgrading to 0.34 now — including conversion to a new data structure — and then again to 0.40 — converting to yet another data structure — soon afterward).

Note that this is still a fairly small community, so your concerns carry a lot of weight. If you have specific reasons why you will not be able to upgrade to slidePresenter-0.40 and need a patch for the 0.30 branch, contact me (see the README.txt file in the distribution). I will do my best to help address your specific situation.

** I should point out that this “significant security hole” is also in place in many very popular software packages, including WordPress, which powers this very site. Regardless, I believe it would be irresponsible to continue publishing slidePresenter without doing all I can to eliminate such a vulnerability.

As of 15:30 PM Eastern Time, July 4, 2007, all existing versions of
slidePresenter were found to contain a security flaw in which certain
server-executable files may be written by an attacker having
write-access to the web server. Although no known flaws in
slidePresenter provide that access, I have no way of confirming the same
is true of all other services running on a web server.

Therefore, all archived versions of slidePresenter are being pulled from
the download site at sourceforge.net until this vulnerability has been
patched.

Existing slidePresenter users in shared hosting environments are
encouraged to discontinue use of slidePresenter until a patched version
can be installed.

I expect to have a patched version for the slidePresenter-0.30 branch
released by end of day on July 4, 2007. Users of previous versions will
be encouraged to upgrade to that patched 0.30 release.

Subscribers to the slides-announce list will be notified when patched
versions have been released.

This is a security alert regarding slidePresenter-0.40-beta.

As released, slidePresenter-0.40-beta contains a security flaw in which certain server-executable .php files may be overwritten by an attacker having write-access to the web server. Although no known flaws in slidePresenter provide that access, I have no way of confirming the same is true of all other services running on your web server.

Therefore, all users of slidePresenter-0.40-beta are encouraged to discontinue its use and revert to the latest stable version (slidePresenter-0.33) until this vulnerability has been patched. To prevent further distribution of the vulnerable code, slidePresenter-0.40-beta has been removed from the download site at sourceforge.net; all other previously released versions are still available.

Subscribers to the slides-announce list will be notified when a patched version has been released.