Security Alert 1.2.6 CVS

[larmann]

[UPDATE]
I have created a patch for 1.2.x releases. Before this is published as official I would like it to be tested
Download patch: http://www.phpwcms.org/support/patchSec ... _1.2.x.zip

See also: http://www.phpwcms.de/forum/viewtopic.php?p=63686#63686



English below:
**************

Hallo,

gerade habe ich diese Email erhalten. Jemand hat in meiner frischen 1.2.6. CVS einen Admin-User angelegt. Hier die Email, die ich dazu bekam:

**************

Hallo!

Ich wollte ... gerade beraten, was fuer ein CMS er fuer seine neue Seite benutzen sollte. Um ihm zu demonstrieren, dass phpwcms sehr unsicher ist, habe ich dazu durch eine Luecke einen Benutzer "config" mit Admin-Rechten bei Eurer neuen Seite angelegt. Er meinte, das wuerdet ihr uns nicht uebel nehmen, da die Seite ja auch noch gar nicht gestartet ist. Mit dem Benutzer koennte ich jetzt beliebige Veraenderungen vornehmen. Entfernt den Benutzer doch bitte wieder.

Ich kann nur davon abraten, phpwcms zu benutzen. Ich habe es vor kurzem geprueft, ob es meinen Anspruechen, um auf meinen Servern eingesetzt zu werden, inzwischen genuegt und war relativ entsetzt.

Es produziert nicht nur schlechten Code, es ist vor allem ohne irgendein durchgaengiges Sicherheitskonzept programmiert. Innerhalb von kuerzester Zeit habe ich mehrere gravierende Fehler entdeckt. Zuerst wollte ich ein komplettes Code-Auditing machen, aber auf dieser Code-Grundlage ist das einfach zu Zeitaufwaendig.

Ich hab nicht die Zeit, alle Fehler aus dem Tool rauszusuchen. Die gefundenen Fehler schicke ich Euch und dem Author das Systems in den nächsten Tagen zu.

Weiterhin war es möglich, das Datenbankpasswort und die Benutzerdatenbank herunterzuladen.


****************
Hi there,

I just got this email. Someone created an admin user in my fresh 1.2.6 CVS. Here is the email I got:


******
Hello!

I just wanted to explain to ... which CMS he should use for his new website. I wanted to demonstrate to him how insecure phpWCMS is and therefor created an admin named "Config" in your backend. He said you wont be angry about it becausse the website isn't launched yet. With this admin user I can change whatever I want on your site. Please delete the user again.

I consider phpWCMS to be dangerous. I tested it recently on my servers and was pretty surprised.

It's not just producing a bad code, it is constructed without any decent security concept. Within a very short time I found several huge mistakes. First I thought to make a whole code auditing, but on this basis it's much to time consuming.

I just don't have the time to find all right now. I'm going to send the mistakes to you and the author of the system in the next days.

Furthermore it is possible to download the database password and the database.

[Kosse]

You send that to OG? If the guy/girl send you the code he used to crack you and demonstrates that it is unsecure, well I guess OG will patch it...

Otherwise, phpwcms has been there for almost 3 years without anyone complaining he got hacked like that...

mmmm... wait and see

It's not just producing a bad code, it is constructed without any decent security concept. Within a very short time I found several huge mistakes. First I thought to make a whole code auditing, but on this basis it's much to time consuming.

-> I'm not really convinced...

Other concern; is it phpwcms or the server settings?...

Cheers

[trip]

With those kind of questions you are asking It does not sound like you are too familiar with web programs

[bugreporter]

I wanted to inform the author first, but now there is this discussion already. It was not my idea to post it here right now.

I looked into the source for less than an hour and found the following issues:

1. you can use
"include/inc_act/act_formmailer.php"
for spam-mails by faking HTTP_REFERER. This is quite easy. Allowing to send an email to arbitrary adresses from a public website is not a good idea, i think.

2. you can use
"phpwcms_code_snippets/mail_file_form.php"
to run arbitrary php-code. I think it is safe to remove the "render_PHPcode" three times, but I did not try, because I don't use phpwcms. For 1.1-Release the file is "sample_ext_php/mail_file_form.php"

You can use this hole to download conf.inc.php and to create user accounts in the database, this is quite easy. I think it is safe to remove the whole directory, but I don't know.

I don't have the time to do a full code auditing and have only looked into a few php-files with "interesting filenames" (i was interested in the email-parts first). Since I decided not to use phpwcms, I will not search for more bugs.

Hope that helps
Bugreporter

[Kosse]

Hi bugreporter,

thx for the input ... but I sense you need access to the server to do all what you just explained, means a secure server won't let you upload your files instead of the installed ones?

--> I am (still) curious about what OG will say about this...

if he confirms, then I'd be happy to hire your services to secure it
plus, let's not forget we're talking about a dev release, so it helps if you pointed out a security hole...

Cheers

[bugreporter]

[quote="Kosse"] but I sense you need access to the server to do all what you just explained, means a secure server won't let you upload your files instead of the installed ones?[/quote]

No, if you have a file called "mail_file_form.php" there, you are insecure.
The code

render_PHPcode(clean_slweg($_POST['nome_evento']));

means: "Run as PHP-Code all the information that the use of the website sent me" (when it is marked as php-code)

I can not understand, how anyone could write this line.

[Kosse]

mmm, but those are code_snippets, means you don't REALLY need them to run phpwcms they are there IF you need them ... and it's not OG who wrote that I'm not aware he writes in italian

now, I must confess my tech skills are not that evolved to discuss this thoroughly...

[bugreporter]

I agree, that OG did not write this script.
But since the directory is in the normal installation directory it is there in most installations of phpwcms. Give it a try and have a look at some sites.

Maybe i was lucky, but I found the bugs only by looking into a few files with "mail" in the filename. I did not look in all the others.

[flip-flop]

Hi bugreporter,

Many thanks for this imformation. I hope O.G. will read this soon and solved these problems.
I think he will make an audit.

Gruß Knut

[Oliver Georgi]

Ok here are my little answer:

First it would be good if the "expert" might contact me.

And it's right - the old formmailer is really no good part of code. If possible remove it.

The code snippets are what it is - not really a part of phpwcms and can be deleted. But all parts there are written by myself - often just an example of how to solve a problem. I will remove these stuff from coming releases.

And all other leaks - would be interesting to know.

Oliver

[Kosse]

Hey,

if I understood right, it's better to remove ALL the code_snippets? Or if I just delete mail_file_form.php it's enough?

As for the formmailer, is there an alternative?
Thanks

Cheers

[flip-flop]

Hi Kosse,

Please kill the whole folder. If you wan´t to use one of the files, do it separately.

Did you use the "old" formmailer? A quick test for me: All is running well without this file. I am using only the "email contact form".

Gruß Knut

[Kosse]

Hi Kosse,

Please kill the whole folder. If you wan´t to use one of the files, do it separately.

Did you use the "old" formmailer? A quick test for me: All is running well without this file. I am using only the "email contact form".

Gruß Knut

Ok, thx flip-flop, will do so... will review all sites (+/-15) and see if they still work after that. Problem: I've used the folder to put other file slik emoo.fx and such... well, will move them to /content folder I guess
Danke für info

Gruß/Cheers

[Oliver Georgi]

Ok thanks,

I was contacted and checked why this happened. The biggest problem is the mail_file_form.php. If you use this anywhere just send an email to me and I tell you how to make it more safe.

[UPDATE]
I have created a patch for 1.2.x releases. Before this is published as official I would like it to be tested
Download patch: http://www.phpwcms.org/support/patchSec ... _1.2.x.zip


Always - if you use POST or GET do this:

Code: Select all

$my_post_value = remove_unsecure_rptags($_POST['my_value']);
$my_get_value  = remove_unsecure_rptags($_GET['my_value']);

also this is possible - additional stripping all HTML tags

Code: Select all

$my_post_value = combined_POST_cleaning($_POST['my_value']);
$my_get_value  = combined_POST_cleaning($_GET['my_value']);

I will implement better checking for old formmailer and try to make a code audit to find other problematic code.

If you think I should check something you might find insecure please tell me.


Please check these 2 points:

1. Use the new form generator - if you do so you can delete include/inc_act/act_formmailer.php
2. Delete directory phpwcms_code_snippets - is not used anywhere by phpwcms

I will also release updated 1.1-RC4 release.

regards
Oliver