Opened 11 years ago

Closed 11 years ago

#1518 closed defect (fixed)

Month of PHP Security - Serious Xinha Security Hole

Reported by: guest Owned by: gogo
Priority: normal Milestone: 0.96
Component: Xinha Core Version: trunk
Severity: blocker Keywords:

Description (last modified by gogo)


the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.

function xinha_read_passed_data()
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
$bk = $_REQUEST['backend_data'];
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
return NULL;

All an attacker needs to submit his own configuration is.

backend_data = array(
"session_name" => "PHPSESSID",
"key_location" => "some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user...",
"data" => serialize( ... A NEW CONFIGURATION ... ),
"hash" => sha1(KNOWN_SESSION_DATA . $data)

And the same attack is possible against the "old method" stored in all the files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog?.

Stefan Esser

Change History (6)

comment:1 Changed 11 years ago by guest

  • Severity changed from normal to blocker

comment:2 Changed 11 years ago by guest

Stefan's right.

I guess Xinha should force key_location to be (currently random) Xinha:BackendKey or at least something from Xinha: namespace and disallow passing the key location by the remote client (as he can choose whatever he wants).

comment:3 Changed 11 years ago by gogo

  • Description modified (diff)


If a non default keylocation is used, it must also be supplied where the data is read.


The same for ImageManager?, ExtendedFileManager?'s deprecated methods.

comment:4 Changed 11 years ago by gogo

  • Description modified (diff)

comment:5 Changed 11 years ago by gogo

Retro Patch

For those who are unable to use the current trunk (I advise it, although it may be a bit buggy especially in IE), here are the steps to patch this issue.

Download this file:

Save to: (your xinha folder)/contrib/php-xinha.php (replace the existing)

Edit file: (your xinha folder)/plugins/ImageManager/

Find: elseif(isset($_REQUEST['backend_config']))
Replace: elseif(0 && isset($_REQUEST['backend_config']))

Edit file: (your xinha folder)/plugins/ExtendedFileManager/

Find: elseif(isset($_REQUEST['backend_config']))
Replace: elseif(0 && isset($_REQUEST['backend_config']))

This will disable the deprecated configuration method in your ImageManager/ExtendedFileManager?, if you are using that old method (you'll soon find out when ImageManager/ExtendedFileManager? stop working for you) then you will need to update your usage according to ImageManager? and ExtendedFileManager? wiki pages.

comment:6 Changed 11 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.