PROBLEM A critical vulnerability in GetSimple 3.3.15 ?

[navitonaj]

Hello,

I fell on it:

https://www.mag-securs.com/alertes/artmi...ation.aspx !!!
 

Should we be afraid of it?
   
 
Thank you in advance for your opinion on the issue.


[Attachment = 862]

[shawn_a]

Is it this? https://github.com/GetSimpleCMS/GetSimpl...ssues/1305

[shawn_a]

Yes it is it basically says if you know the password you can execute php code , its fucking stupid.
This CVE should not have been issued as Critical as it relies on a premis of

"However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure."

"If a someone leaks the API key and the admin username, then they can bypass authentication. "

https://nvd.nist.gov/vuln/detail/CVE-2019-11231

Users are required to secure their own xml files..

[shawn_a]

We can add a check to GS that would check if files are publicly accessible, and shut gs down entirely.

I mean the alternative is to make sure users can move these files above public, or lock them down some other way.
We also have chmod rules which can be added or adjusted

[shawn_a]

apache 2.3.9

[Felix]

Code:

Example to Protect system files for Apache versions older than 2.4:

<FilesMatch "\.(inc|info|info\.json|module|sh|sql)$|^(\..*)$">
 Order allow,deny
</FilesMatch>
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

I will post more examples for GS system files

[Felix]

We can add a check to GS that would check if files are publicly accessible, and shut gs down entirely.

Very good idea. I will google for example code.

[shawn_a]

The problem is most php systems lock down file open over http for security.

[shawn_a]

The best option is to convert all blocking rules to mod rewrite rules in root, should be pretty easy

[shawn_a]

But I doubt anyone using a shared host has access to apache config and most host should have htaccess enabled no? How else are users to config their sites?

[Felix]

If a webmaster does not have access to apache config, then it can be asked through the hosting support.
Most cpanels access allow to move files above the public html root.

[shawn_a]

Have you ever had to deal with a shared host, special requests?
heh yeah lets avoid that one for users

[shawn_a]

I am a big fan of php side, js side fallback health check or upgrade check if we can get to sensitive files or detect that overrides is off? Then we can lock down all permissions and warn user that it needs to be remedied and passwords changed.

Another option is to allow moving a hash or salt into a php global via apache or somehow making sure it cannot be fetched or exists in any file in public

[Felix]

Here is to protect system files for Apache versions 2.4 and newer:
(I also added xml) Put this code in the .htaccess file
that resides in the root of your website

Code:

<FilesMatch "\.(inc|xml|info|info\.json|module|sh|sql)$|^(\..*)$">
   Require all denied
</FilesMatch>
<Files .htaccess>
   Require all denied
</Files>

[Felix]

To prevent certain files to be included by attack or remote scripts,
please read this article, especially the part with the function blockit(),
and the part on the bottom to prevent XSS-style attacks.

https://php.net/manual/en/function.get-i...-files.php

=====================================

And then there is also this strategy:

Check how many included files are there...

if(count(get_required_files()) < 2) { die(); }

Or how many minimum there should be rather than 2

[shawn_a]

Yeah the problem is this blocks theme xml files, we tried this before, I guess this is ok and users will have to explicitly allow specific file names if they need it

[Felix]

Thanks for the reply on this Shawn. I didn't know this.
I will try out all possible variations and see which ones
work best. I will post back about it.

[shawn_a]

Yeah I think a few people were using a MVC theme and it used xml files and js

[navitonaj]

Hi,
If I understood everything (thanks to the automatic translation google), it's not so serious, but possibly a little when even if we do nothing ...
Thanks @shawn_a and @Felix for these explanations and first troubleshooting solutions ...

[Felix]

Hi Navitonaj,

If you do a research with Google you will not find any news about GS websites that have been exploited.
Compare that to the news about the so called "most popular cms" out there ( I won't mention any name
to avoid a flame war) then you will know that GS is very safe to use.
All that we are doing here in this thread is to discuss new ways how to make it even more harder for attackers
to exploit websites made with GS.

[shawn_a]

If you run a gs site you should make sure your data directories are protected via htaccess and have strict permissions only for php and not public etc

[datiswous]

If you run a gs site you should make sure your data directories are protected via htaccess and have strict permissions only for php and not public etc

Is this documented enough? I always assume GS installation takes care of the correct htaccess files.

[Felix]

Is this documented enough? I always assume GS installation takes care of the correct htaccess files.

I think what Shawn means is, if after you have installed GS and are going to add your own custom directories,
then you have to protect them your self with a .htaccess file.

You can do that in the root .htaccess like this:

Code:

RedirectMatch 403 ^/folder/?$

This will block direct access to http://yourdomain.com/folder/
and return a 403 forbidden error

Or you can do it by putting a .htaccess protection file inside each separate directory
adding the following lines:

Code:

Order Allow,Deny
Deny from all

<FilesMatch "\.(jpg|gif|png)$">
Order Deny,Allow
  Allow from all
</FilesMatch>

This will block direct access but will still allow access to pictures with jpg gif and png format.
Feel free to change this to your own needs.

=======================================================

Note:
Please be strongly advised to always test thoroughly your own .htaccess protection files
before using them in your online website.

[datiswous]

Thanks, I just thought that this kind of info, including adviced permission settings would be nice in the wiki (docs).

[Felix]

Thanks, I just thought that this kind of info, including adviced permission settings would be nice in the wiki (docs).

Yes I totally agree. This info, together with adviced chmods should be added to the Wiki.
Or maybe add it to a GS installation, or include it with a read me first text file ?
I think Shawn should give someone permission to update the Wiki and also to remove
spam from the forum.