Important! Vulnerability Found in GetSimple 2.03

[ccagle8]

Until we have this fixed with the 3.0 release, please delete /admin/upload-ajax.php from any and all of your installations of GetSimple.

Some hacksters found a way to upload a file without being logged in - not sure how yet, but right now, this is the best way to avoid being hacked.

Sorry about this, but some people have to try and ruin it for everyone... More to come shortly...

[madvic]

just delete this file ?
no problem with GS after this ?

[ccagle8]

yep - as far as I know right now

[ccagle8]

http://code.google.com/p/get-simple-cms/..._svn204_34

instead of deleting upload-ajax.php you can also make the change above to your cookie_functions.php file.

[juliancc]

Chris is this notice just for 2.03 or also anything below 2.03?

[ccagle8]

2.03, but anything below could be effected too.

But to be honest, with almost every release of GS, we've fixed some type of vulnerability... so 2.01 was already insecure to a point.

[RobA]

ccagle8 wrote:http://code.google.com/p/get-simple-cms/..._svn204_34

instead of deleting upload-ajax.php you can also make the change above to your cookie_functions.php file.

Replacing the function using the SVN code:

Code:

function kill_cookie($identifier) {
  global $SALT;
  $saltCOOKIE = sha1($identifier.$SALT);
  if (isset($_COOKIE[$saltCOOKIE])) {
    if ( defined('GSCOOKIEISSITEWIDE') && (GSCOOKIEISSITEWIDE == TRUE) ) {
       $_COOKIE[$saltCOOKIE] = FALSE;
       setcookie($saltCOOKIE, FALSE, time() - 3600,'/');    
    } else {
       $_COOKIE[$saltCOOKIE] = FALSE;
       setcookie($saltCOOKIE, FALSE, time() - 3600);
    }
  }
}

gives me:

Quote:Parse error: syntax error, unexpected T_IF in /home/cartocop/testbed/admin/inc/cookie_functions.php on line 41

Line 41 is the "if defined" line.

Any other suggestions?

-Rob A>

[ccagle8]

I just fixed gs.info and i am not getting that error... can you verify you copied the right code (w/o line numbers etc.)?

http://get-simple-cms.googlecode.com/svn...ctions.php

[RobA]

ccagle8 wrote:I just fixed gs.info and i am not getting that error... can you verify you copied the right code (w/o line numbers etc.)?

http://get-simple-cms.googlecode.com/svn...ctions.php

Thanks for the direct link. I got it from here initially:
http://code.google.com/p/get-simple-cms/...php?edit=1

I'm guessing copying from there introduced some non-printing characters.

[marrco]

thx !

is this vulnerability present in 2.04 beta too?

and, by the way, why don't you setup a security announce mailing list ?

[Joshas]

Will there be 2.03 security release?

[ccagle8]

The current svn is fixed. I will release 2.03.1 early today as a quick security release. I will also cut a new beta release that takes into effect the latest svn fix as well.

[ccagle8]

The downloads have been udpated, and the new stable version is 2.03.1. If you don't feel like upgrading, you can just make the change mentioned here.

[yojoe]

marrco wrote:thx !

is this vulnerability present in 2.04 beta too?

and, by the way, why don't you setup a security announce mailing list ?

I see that 2.04b contains fixed kill cookie function, so no worries.

[ccagle8]

well, 2.04B became 3.0 after we decided that there were just too many updates in it to make it a minor release. So to be honest, 2.04 was always BETA, and will never be a real release.

3.0 should be fixed now... as well as the 2.03.1 patch release that was just sent out

[schwoortz]

If I simply delete /admin/upload-ajax.php then the upload-functionality won't work anymore, right?

[ccagle8]

yes, thats the only part of the installation that wouldnt work. You can also make this change in lieu of deleting that file...

[s3t]

Is there a way to subscribe to such emergency situations? Email or RSS...

It should prevent mass site hacking in future
I had to remove "Powered by GetSimple" due to this issue - to prevent the google-hackers from finding my site in such occasions.

The drawback is if the vulnerability is "private", then, by publishing security fix, it will become public.