modxcms / evolution

This repository was Frozen. Welcome to the new evolution of MODX Evolution!
https://github.com/evolution-cms/
178 stars 206 forks source link

Security-fix 1.0.12 - 1.2 RC1 #919

Closed Dmi3yy closed 7 years ago

Dmi3yy commented 8 years ago

http://extras.evolution-cms.com/packages/core/security-fix.html fast solution for fix.

Deesen commented 8 years ago

Why not in core? Needs testing first?

Dmi3yy commented 8 years ago

Already in core Its fast fix for users. Who want's wait 1.2 releases

Отправлено с iPhone

11 нояб. 2016 г., в 12:44, Deesen notifications@github.com написал(а):

Why not in core? Needs testing first?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Nicola1971 commented 8 years ago

is there a security issue? in 1.1?

pbowyer commented 8 years ago

Yep, and further back. This looks to be related to the hacking we've experienced the last week. Thanks @dmi3yy

Deesen commented 8 years ago

Ah ok I thought it was related to https://github.com/modxcms/evolution/pull/918 and yama´s comment in skype. Thanks for info & fix!

Eoler commented 8 years ago

Well, this is interesting - thanks for the contribution. Ain't bears really fancy this autumn...?

nick0 commented 8 years ago

Thankyou @dmi3yy.

Please confirm... If updating from 1.0.15, is there a later full public (non beta) release (1.1??) with this fix built in? Or is this still in development? In which case I will just use the patch for now. Thanks.

Dmi3yy commented 8 years ago

Fix for version 1.0.12 - 1.2 rc1 1.1 have bug

Отправлено с iPhone

12 нояб. 2016 г., в 03:14, nick0 notifications@github.com написал(а):

Thankyou @dmi3yy.

Please confirm... If updating from 1.0.15, is there a later full public (non beta) release (1.1??) with this fix built in? Or is this still in development? In which can I will just use the patch for now. Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

Deesen commented 8 years ago

And shouldn´t we add this info to security-feed in Dashboard? Last one mentioned is 1.0.13 from 2014.

esszett commented 8 years ago

@dmi3yy your comment

… 1.1 have bug

makes me nervous - may I ask you to give me a brief hint where these bugs are located? I'm currently finishing a project on 1.1 and would be happy to be prepared … just in case. I thank you!

Dmi3yy commented 8 years ago

https://github.com/extras-evolution/security-fix

Or in extrass.

Upload this files and all be fine

Отправлено с iPhone

14 нояб. 2016 г., в 00:38, esszett notifications@github.com написал(а):

@dmi3yy your comment

… 1.1 have bug makes me nervous - may I ask you to give me a brief hint where these bugs are located? I'm currently finishing a project on 1.1 and would be happy to be prepared … just in case. I thank you!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

modxuser commented 8 years ago

@ All

I have released a security post referencing this patch in the MODX forum, it can be found here

Nicola1971 commented 8 years ago

@modxuser thanks a lot. Can you add some instructions to fix with extras modules? It's a faster and easy way to fix the issue and avoid a lot of "hacked site" posts on forum.

Deesen commented 8 years ago

@modxuser Thanks, your post already appears in the security feed. Just for interest: Does the feed display the forum-threads, or did MODX LLC update the feed acc. to your post? Do you know?

modxuser commented 8 years ago

@Deesen I'm not sure, but I didn't inform the LLC, so I presume once a post is made in the security section it is automatically displayed in the feed.

@Nicola1971 Sorry, but i'm not sure I understand - what extras modules ?

You could provide the text yourself and I can post it in the forum, if that helps

Eoler commented 8 years ago

I'm not sure, but I didn't inform the LLC, so I presume once a post is made in the security section it is automatically displayed in the feed.

So we can spam all MODX Evolution installations out there with a single forum post? Pure genius!

modxuser commented 8 years ago

@Eoler Simple answer = NO

Eoler commented 8 years ago

Simple answer = NO

Ok, good for them (and us).

Nicola1971 commented 8 years ago

@modxuser

@Nicola1971 Sorry, but i'm not sure I understand - what extras modules ?

Evolution 1.1 users can install the security patch directly from the Manager, using the Extras Module (previously called "Store" module). You can find the patch in Extras > Core (categories) or just typing "fix" in the Extras module search form:

b3yyid7plq3yaaaaaelftksuqmcc

modxuser commented 8 years ago

Ah ok. But that only involves those who have that installed, for example, I don't LOL

I don't think we need to add that to the forum, it's now here and this page is linked to via the forum security post

fourroses666 commented 8 years ago

Shouldn't it be Security patch for Evolution 1.0.x - 1.2RC1 ?

Can't harm to post an other fast way to close the leaks I think. Or just a line with; The security fix can also be downloaded by the Extra's Module.

modxuser commented 8 years ago

The forum post has been updated, referencing the "Extras" module and linked to @Nicola1971 post

pixelchutes commented 8 years ago

Does the recommended patch properly protect against partially escaped payloads?

REDACTED

I tested with the protect.inc.php from security-fix repo, but was still seeing exposure vs. when comparing to protect.inc.php from #918 ?

Cipa commented 8 years ago

I was just testing this and it seems like it's not

$values = array(
    '[[]]',
    '[\[\]\]',
    '[/[]/]',
    "\[\[\]\]\/",
    '\[\[test]]',
    '\[\[\test\]\]',
    '[\[Ditto?parents=`0`]\]'
);
array (size=7)
  0 => string 'sanitize_seed_6lei5gouwesck8kkk408cwk88[sanitize_seed_6lei5gouwesck8kkk408cwk88[sanitize_seed_6lei5gouwesck8kkk408cwk88sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88' (length=238)
  1 => string '[\[\]\]' (length=7)
  2 => string '[/[]/]' (length=6)
  3 => string '\[\[\]\]\/' (length=10)
  4 => string '\[\[testsanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88' (length=127)
  5 => string '\[\[\test\]\]' (length=13)
  6 => string '[\[Ditto?parents=`0`]\]' (length=23)
pixelchutes commented 8 years ago

Thanks, @Cipa. Confirmed here, too. I can reproduce a few scenarios as well

REDACTED

Cipa commented 8 years ago

Anyone knows why [\[Ditto?parents=0]\] would be executed later on/detected as valid snippet? Are the \ removed?

nick0 commented 8 years ago

Thanks for the further testing @pixelchutes and @Cipa. Does this mean there are more files needing updating for the patch?

nick0 commented 8 years ago

I didn't know about the "Extras module". Nice Is this it here, called the Package Manager? http://extras.evolution-cms.com/packages/utilityi/packagemanager.html If so, I think the forum post needs updating because "Extras" module does not exist under that name

pmfx commented 8 years ago

No. Package Manager is this https://github.com/Jako/PackageManager and you can download "Extras" (or "Store") module here http://extras.evolution-cms.com/download.html

nick0 commented 8 years ago

Ah gotcha. Thanks for confirming that. Got it

Nicola1971 commented 8 years ago

@dmi3yy, I think we need to fix this name confusion in extras module:

Dmi3yy commented 8 years ago

Ok

Отправлено с iPhone

16 нояб. 2016 г., в 01:25, Nicola notifications@github.com написал(а):

@dmi3yy, I think we need to fix this name confusion in extras module:

if the new name is "extras" ' the folder under assets/modules/ should be extras, not store. the title in module page should be the same — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

nick0 commented 8 years ago

Great idea. ps can you also please include install instructions with the "Extras" package - I am not sure what to put in the "Module code" area when creating the module in Evo. Thanks.

tweezy-au commented 8 years ago

I noticed that the eform snippet is included in the patch.

In my installation (Evo 1.0.14) the snippet is stored in the database (Manage Elements - Snippets - eForm), so should I replace that with the new contents of snippet.eform.php?

nick0 commented 8 years ago

One of the developers could probably confirm this tweezy-au but what I did for eform was... via ftp: overwrite the existing eform files with those in the patch in Evo: change the number in the eform snippet description to 1.4.7

pbowyer commented 8 years ago

Good catch @pixelchutes and @Cipa.

Are these partially-escaped issues specific to eForm, or could an attacker craft input to Evo that exploits them? To put it another way: is eForm the security problem?

signalfeuer commented 8 years ago

I applied the hotfix yesterday at 17:36pm – today at 8:05am my modx website got hacked! :-( MODX Evolution 1.0.15

Edit: It seems that the project was hacked a few days before. There is a file "js-min.php" uploaded into "/assets/media" (09.11.2016) - could be the "door-opener"!?

pbowyer commented 8 years ago

@signalfeuer that is the door in. You will also have one of your plugins (stored in the database) commented out and code appended to it, which needs removing.

This query found it for me:

SELECT * FROM modx_site_plugins WHERE plugincode LIKE '%base64%'
yama commented 8 years ago

Thanks, @pixelchutes https://forums.modx.com/messages/ I sent a PM to you on the forum

signalfeuer commented 8 years ago

@pbowyer Thanks. The corrupt plugin was "TransAlias".

pbowyer commented 8 years ago

@signalfeuer It's a different plugin on every install :)

The code that's injected, once decoded looks like: https://gist.github.com/pbowyer/0cf7b45502cc9a0d2144cfe4ffd4afdd. It's pretty smart, and I haven't understood what it's doing with the SQL injection.

Nicola1971 commented 8 years ago

same here: found 3 files in assets media:

and 2 files in root:

and 1 file in assets

The infected plugin was an old disabled plugin, with code commented and some base64 code added

yama commented 8 years ago

By executing the modx_sanitize_gpc function unconditionally, we can solve this vulnerability. However, we need to understand that eForm has two points of vulnerability. Although it is not talked about here, there is another one.

yama commented 8 years ago

It is also important to note that three snippets that can execute the php eval function within a snippet call are included in the package.

pixelchutes commented 8 years ago

The hot fix posted yesterday is not enough.

@pbowyer I don't have reason to believe it would be limited to eForm (hopefully I'm wrong), but it would seem any user input would also need to be globally sanitized for escaped MODX tags, especially if returning user input to the user (but definitely not limited to that.)

modxuser commented 8 years ago

What does the hack actually do ?

Other than files on the server, how do you know that you have been hacked via this hack ? Is there front-end code / spam / links etc.

pbowyer commented 8 years ago

@modxuser run the database query above to see if they've injected code into a plugin. The file uploaded (js-min.php for me) gives good access to the server, so that alone is compromise enough.

Nicola1971 commented 8 years ago

try to share a post on google+ :D and you will see seems redirect urls to display content from another site

Nicola1971 commented 8 years ago

example: this is a post on Google+ of one of my italian customers site Hacked:

hack-g

of course, the chinese content is not coming from the customer's site :)

modxuser commented 8 years ago

Thanks for the info - yet again, this proves that back-ups are essential

Tested a few sites using 1.0.15 => 1.1, all OK - I have back-ups of all my sites anyway (offline), so just a short hinderance if they do get hacked.

Will this hopefully be fully sorted (as noted by @yama ) with the forthcoming 1.2 release ?