Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PROBLEM A critical vulnerability in GetSimple 3.3.15 ?
#1
Hello,

I fell on it:

https://www.mag-securs.com/alertes/artmi...ation.aspx !!!
  Angry

Should we be afraid of it?
  Huh  
 
Thank you in advance for your opinion on the issue.


[Attachment = 862]


Attached Files Thumbnail(s)
   
Reply
#2
Is it this? https://github.com/GetSimpleCMS/GetSimpl...ssues/1305
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#3
Yes it is it basically says if you know the password you can execute php code , its fucking stupid.
This CVE should not have been issued as Critical as it relies on a premis of

"However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure."

"If a someone leaks the API key and the admin username, then they can bypass authentication. "

https://nvd.nist.gov/vuln/detail/CVE-2019-11231

Users are required to secure their own xml files..
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
We can add a check to GS that would check if files are publicly accessible, and shut gs down entirely.

I mean the alternative is to make sure users can move these files above public, or lock them down some other way.
We also have chmod rules which can be added or adjusted
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#5
apache 2.3.9


Attached Files Thumbnail(s)
   
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#6
Code:
Example to Protect system files for Apache versions older than 2.4:

<FilesMatch "\.(inc|info|info\.json|module|sh|sql)$|^(\..*)$">
 Order allow,deny
</FilesMatch>
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

I will post more examples for GS system files
Reply
#7
Quote:We can add a check to GS that would check if files are publicly accessible, and shut gs down entirely.

Very good idea. I will google for example code.
Reply
#8
The problem is most php systems lock down file open over http for security.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#9
The best option is to convert all blocking rules to mod rewrite rules in root, should be pretty easy
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#10
But I doubt anyone using a shared host has access to apache config and most host should have htaccess enabled no? How else are users to config their sites?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#11
If a webmaster does not have access to apache config, then it can be asked through the hosting support.
Most cpanels access allow to move files above the public html root.
Reply
#12
Have you ever had to deal with a shared host, special requests?
heh yeah lets avoid that one for users
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#13
I am a big fan of php side, js side fallback health check or upgrade check if we can get to sensitive files or detect that overrides is off? Then we can lock down all permissions and warn user that it needs to be remedied and passwords changed.

Another option is to allow moving a hash or salt into a php global via apache or somehow making sure it cannot be fetched or exists in any file in public
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#14
Here is to protect system files for Apache versions 2.4 and newer:
(I also added xml) Put this code in the .htaccess file
that resides in the root of your website

Code:
<FilesMatch "\.(inc|xml|info|info\.json|module|sh|sql)$|^(\..*)$">
   Require all denied
</FilesMatch>
<Files .htaccess>
   Require all denied
</Files>
Reply
#15
To prevent certain files to be included by attack or remote scripts,
please read this article, especially the part with the function blockit(),
and the part on the bottom to prevent XSS-style attacks.

https://php.net/manual/en/function.get-i...-files.php

=====================================

And then there is also this strategy:

Check how many included files are there...

if(count(get_required_files()) < 2) { die(); }

Or how many minimum there should be rather than 2
Reply
#16
Yeah the problem is this blocks theme xml files, we tried this before, I guess this is ok and users will have to explicitly allow specific file names if they need it
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#17
Thanks for the reply on this Shawn. I didn't know this.
I will try out all possible variations and see which ones
work best. I will post back about it.
Reply
#18
Yeah I think a few people were using a MVC theme and it used xml files and js
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#19
Hi,
If I understood everything (thanks to the automatic translation google), it's not so serious, but possibly a little when even if we do nothing ...
Thanks @shawn_a and @Felix for these explanations and first troubleshooting solutions ...
Reply
#20
Hi Navitonaj,

If you do a research with Google you will not find any news about GS websites that have been exploited.
Compare that to the news about the so called "most popular cms" out there ( I won't mention any name
to avoid a flame war) then you will know that GS is very safe to use.
All that we are doing here in this thread is to discuss new ways how to make it even more harder for attackers
to exploit websites made with GS.
Reply
#21
If you run a gs site you should make sure your data directories are protected via htaccess and have strict permissions only for php and not public etc
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#22
(2019-06-22, 01:49:52)shawn_a Wrote: If you run a gs site you should make sure your data directories are protected via htaccess and have strict permissions only for php and not public etc

Is this documented enough? I always assume GS installation takes care of the correct htaccess files.
Reply
#23
Quote:Is this documented enough? I always assume GS installation takes care of the correct htaccess files.

I think what Shawn means is, if after you have installed GS and are going to add your own custom directories,
then you have to protect them your self with a .htaccess file.

You can do that in the root .htaccess like this:

Code:
RedirectMatch 403 ^/folder/?$


This will block direct access to http://yourdomain.com/folder/
and return a 403 forbidden error

Or you can do it by putting a .htaccess protection file inside each separate directory
adding the following lines:

Code:
Order Allow,Deny
Deny from all

<FilesMatch "\.(jpg|gif|png)$">
Order Deny,Allow
  Allow from all
</FilesMatch>

This will block direct access but will still allow access to pictures with jpg gif and png format.
Feel free to change this to your own needs.

=======================================================

Note:
Please be strongly advised to always test thoroughly your own .htaccess protection files
before using them in your online website.
Reply
#24
Thanks, I just thought that this kind of info, including adviced permission settings would be nice in the wiki (docs).
Reply
#25
Quote:Thanks, I just thought that this kind of info, including adviced permission settings would be nice in the wiki (docs).

Yes I totally agree. This info, together with adviced chmods should be added to the Wiki.
Or maybe add it to a GS installation, or include it with a read me first text file ?
I think Shawn should give someone permission to update the Wiki and also to remove
spam from the forum.
Reply




Users browsing this thread: 1 Guest(s)