search

sleemanj / xinha

WYSIWYG HTML Editor Component (turns <textarea> into HTML editors)
http://trac.xinha.org/
Other
13 stars 2 forks source link

Month of PHP Security - Serious Xinha Security Hole (Trac #1518) #1518

Closed sleemanj closed 4 years ago

sleemanj commented 14 years ago

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}

return NULL;
}

All an attacker needs to submit his own configuration is.

backend_data = array(
"session_name" => "PHPSESSID",
"key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...",
"data" => serialize( ... A NEW CONFIGURATION ... ),
"hash" => sha1(KNOWN_SESSION_DATA . $data)
);

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours, Stefan Esser

Reported by guest, migrated from http://trac.xinha.org/ticket/1518

sleemanj commented 14 years ago

guest changed severity from normal to blocker

sleemanj commented 14 years ago

guest commented:

Stefan's right.

I guess Xinha should force key_location to be (currently random) Xinha:BackendKey or at least something from Xinha: namespace and disallow passing the key location by the remote client (as he can choose whatever he wants).

sleemanj commented 14 years ago

changeset:1251

If a non default keylocation is used, it must also be supplied where the data is read.

changeset:1252

The same for ImageManager, ExtendedFileManager's deprecated methods.

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data() { if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data'])) { $bk = $_REQUEST['backend_data']; session_name($bk['session_name']); @session_start(); if(!isset($_SESSION[$bk['key_location']])) return NULL; if($bk['hash'] === function_exists('sha1') ? sha1($_SESSION[$bk['key_location']] . $bk['data']) : md5($_SESSION[$bk['key_location']] . $bk['data'])) { return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']); } }

return NULL; }

All an attacker needs to submit his own configuration is.

backend_data = array( "session_name" => "PHPSESSID", "key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...", "data" => serialize( ... A NEW CONFIGURATION ... ), "hash" => sha1(KNOWN_SESSION_DATA . $data) );

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours, Stefan Esser

to:

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}

return NULL;
}

All an attacker needs to submit his own configuration is.

backend_data = array( "session_name" => "PHPSESSID", "key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...", "data" => serialize( ... A NEW CONFIGURATION ... ), "hash" => sha1(KNOWN_SESSION_DATA . $data) );

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours, Stefan Esser

sleemanj commented 14 years ago

@sleemanj changed description from:

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}

return NULL;
}

All an attacker needs to submit his own configuration is.

backend_data = array( "session_name" => "PHPSESSID", "key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...", "data" => serialize( ... A NEW CONFIGURATION ... ), "hash" => sha1(KNOWN_SESSION_DATA . $data) );

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours, Stefan Esser

to:

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}

return NULL;
}

All an attacker needs to submit his own configuration is.

backend_data = array(
"session_name" => "PHPSESSID",
"key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...",
"data" => serialize( ... A NEW CONFIGURATION ... ),
"hash" => sha1(KNOWN_SESSION_DATA . $data)
);

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours, Stefan Esser

sleemanj commented 14 years ago

@sleemanj commented:

= Retro Patch = For those who are unable to use the current trunk (I advise it, although it may be a bit buggy especially in IE), here are the steps to patch this issue.

Download this file: http://trac.xinha.org/export/1257/trunk/contrib/php-xinha.php Save to: (your xinha folder)/contrib/php-xinha.php (replace the existing)

Edit file: (your xinha folder)/plugins/ImageManager/config.inc.php Find: elseif(isset($_REQUEST['backend_config'])) Replace: elseif(0 && isset($_REQUEST['backend_config']))

Edit file: (your xinha folder)/plugins/ExtendedFileManager/config.inc.php Find: elseif(isset($_REQUEST['backend_config'])) Replace: elseif(0 && isset($_REQUEST['backend_config']))

This will disable the deprecated configuration method in your ImageManager/ExtendedFileManager, if you are using that old method (you'll soon find out when ImageManager/ExtendedFileManager stop working for you) then you will need to update your usage according to ImageManager and ExtendedFileManager wiki pages.

sleemanj commented 14 years ago