Ticket #1518 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Month of PHP Security - Serious Xinha Security Hole

Reported by: guest Owned by: gogo
Priority: normal Milestone: 0.96
Component: Xinha Core Version: trunk
Severity: blocker Keywords:
Cc:

Description (last modified by gogo) (diff)

Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not. 

function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}
	   
return NULL;
}

All an attacker needs to submit his own configuration is. 

backend_data = array(
"session_name" => "PHPSESSID",
"key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...",
"data" => serialize( ... A NEW CONFIGURATION ... ),
"hash" => sha1(KNOWN_SESSION_DATA . $data)
);

And the same attack is possible against the "old method" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog?.

Yours, Stefan Esser

Change History

Changed 2 years ago by guest

  • severity changed from normal to blocker

Changed 2 years ago by guest

Stefan's right.

I guess Xinha should force key_location to be (currently random) Xinha:BackendKey or at least something from Xinha: namespace and disallow passing the key location by the remote client (as he can choose whatever he wants).

Changed 2 years ago by gogo

  • description modified (diff)

changeset:1251

If a non default keylocation is used, it must also be supplied where the data is read.

changeset:1252

The same for ImageManager, ExtendedFileManager's deprecated methods.

Changed 2 years ago by gogo

  • description modified (diff)

Changed 2 years ago by gogo

Retro Patch

For those who are unable to use the current trunk (I advise it, although it may be a bit buggy especially in IE), here are the steps to patch this issue.

Download this file: http://trac.xinha.org/export/1257/trunk/contrib/php-xinha.php

Save to: (your xinha folder)/contrib/php-xinha.php (replace the existing)

Edit file: (your xinha folder)/plugins/ImageManager/config.inc.php

Find: elseif(isset($_REQUEST['backend_config'])) Replace: elseif(0 && isset($_REQUEST['backend_config']))

Edit file: (your xinha folder)/plugins/ExtendedFileManager/config.inc.php

Find: elseif(isset($_REQUEST['backend_config'])) Replace: elseif(0 && isset($_REQUEST['backend_config']))

This will disable the deprecated configuration method in your ImageManager/ExtendedFileManager?, if you are using that old method (you'll soon find out when ImageManager/ExtendedFileManager? stop working for you) then you will need to update your usage according to ImageManager and ExtendedFileManager wiki pages.

Changed 2 years ago by gogo

  • status changed from new to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.