security report 3.1.2

[shawn_a]

http://packetstormsecurity.com/files/119298

Anyone have a clue what this is about, I am busy.

[n00dles101]

been hacking away at this for the last couple f hours and I can't get this to work at all.

Unless your logged in and you can upload this file/functions to your web folder, even then I can't get any commands to run.

[shawn_a]

I don't really get it, but I haven't really looked at it.
We salt our cookies, so how can you fake them with just the cookie_name ? Unless there is a bug with the global salt.
And you have to know the user name I would think.

[shawn_a]

hmm maybe, if GSDATAOTHERPATH .'authorization.xml' does not exist or is empty.
Then the salt is sha1($SITEURL) and predictable.
Oh and you are not using GSUSECUSTOMSALT as highly recommended in instructions.

[shawn_a]

If anyone else sees anything please let us know.

[shawn_a]

Mediation of cookie spoofing suggestions are as follows.

Make sure you are using a SALT in your install.

Check for data/other/authorization.xml
This should have been created during install, its possible there is an issue and that this is missing for some, please check your sites and let us know.

The safest bet is follow the wiki on securing your site, and use a custom salt in your config.

The code execution issue is only for authenticated users.

Alternativly you can modify the default salt used in 3.1.2

admin/inc/common.php #147

PHP Code:

$SALT = sha1($SITEURL); 


And change that to something unpredictable sha1('somerandomstring');
Or add a nice die('Critical File Missing');

[Connie]

I informed in the german sub-forum and I added this info to the News and the configuration info at www.get-simple.de

[D.O.]

Just out of curiosity:
Is the person who posted this "security patch" a member of this forum?

His blogspot sounds Italian/Polish...
http://hauntit.blogspot.it/2012/12/en-5-...e-312.html

[HauntIT]

Just out of curiosity:
Is the person who posted this "security patch" a member of this forum?

His blogspot sounds Italian/Polish...
http://hauntit.blogspot.it/2012/12/en-5-...e-312.html

Hi D.O. and others here. I'm surprised that you're reading my blog, thanks

D.O. - answer is: after reading your post - yes.

I'm from Poland, like you said. Anyway, let me know what questions do you have here, at pm(s) or at mail (added here to profile page for contact).

I can send you all 5 sploits for those bugs if you want to test your servers.

Let me know

Best regards,
Jakub

[D.O.]

Hi HauntIT, welcome then.
No question for now, thank you.
I am used to wait the official channels.

Just out of curiosity:
Is the person who posted this "security patch" a member of this forum?

His blogspot sounds Italian/Polish...
http://hauntit.blogspot.it/2012/12/en-5-...e-312.html

Hi D.O. and others here. I'm surprised that you're reading my blog, thanks

D.O. - answer is: after reading your post - yes.

I'm from Poland, like you said. Anyway, let me know what questions do you have here, at pm(s) or at mail (added here to profile page for contact).

I can send you all 5 sploits for those bugs if you want to test your servers.

Let me know

Best regards,
Jakub

[HauntIT]

Ok D.O.

If you need anything - just let me know. I will answer asap.

By the way, if you want few more informations about bugs I found in latest GetSimple, let me know too (maybe here is person with who I can talk directly about building/testing patch?).

Best regards,
Jakub

Hi HauntIT, welcome then.
No question for now, thank you.
I am used to wait the official channels.

Just out of curiosity:
Is the person who posted this "security patch" a member of this forum?

His blogspot sounds Italian/Polish...
http://hauntit.blogspot.it/2012/12/en-5-...e-312.html

Hi D.O. and others here. I'm surprised that you're reading my blog, thanks

D.O. - answer is: after reading your post - yes.

I'm from Poland, like you said. Anyway, let me know what questions do you have here, at pm(s) or at mail (added here to profile page for contact).

I can send you all 5 sploits for those bugs if you want to test your servers.

Let me know

Best regards,
Jakub

[Connie]

By the way, if you want few more informations about bugs I found in latest GetSimple, let me know too (maybe here is person with who I can talk directly about building/testing patch?).

well, we have a lot of communication possibilities here and if you read the posts you will find where you can post your information. You can also adress the developers here by posting. There is a section "Developer Discussions"

please do not announce many offers but adress r´the devs there!

PS: please do not copy all former posts in your posts, that makes everything really unreadable.

[HauntIT]

Ok, no problem

One more thing to mention:
I've talked with n00dles101 ("GetSimple Support Forum Staff")
who asked me about those 4 more exploits.

I've send them to him.

Let me know if I can help with anything

Cheers!
o/

(...)

[shawn_a]

Good catch on the lang.
I checked for get exploits in my 3.2 audit, but missed this post traversal issue.

Ill roll that fix in to 3.2beta.

We will discuss a 3.1.3 patch release, but alot of fundamental flaws were fixed in 3.2 already.

I also found that we are not catching salt generation failures on install, which would allow the cookie issue to occur.
SVN already has a fix, I will probably add it to 3.2beta today.
We will also fatally die if there is no valid salt.

I am going to assume this issue only occurs on local installs or portable drives or windows hosts. I cannot reproduce a failure of creation of authorization.xml, but since there is no catch for its failure, it is important for everyone to check their installs.

We will probably also make sure health check contains a check for this stuff. Maybe we can patch it to for 3.1.2 for statuses.

I am going to say that the occurrence and exploit-ability of this cookie spoofing is probably very very low.

As for the drive by xss attacks on the lang exploits, there are a few others that are not protected by nonces, and pretty vulnerable to targeted attacks. So as with anything I suggest you avoid web browsing when you are using an
authenticated session. And do click unknown links when logged in to secure sites, as with anything.

[shawn_a]

HauntIT, I appreciate your assistance finding anything else.

I would love to know how your test setup got to this state that it is missing the salt.
Was this a fresh install, an upgrade from x -> x, I would like to nail down or at least identify who might be at risk.

Did you wipe your data directories at some point ?

Is this windows, do we have a path slash issue on install.php.

There are many variables and your exploit post does not detail configuration.

[HauntIT]

shawn_a: thanks for checking all of it. Very good job!

Now your answers:
- I'm doing a lot of webapplication penetration testing, bug hunting, etc etc, and once uppon a day I found at sourceforge 'GetSimple CMS', when I was looking for 'php mysql cms'.
- next was checking if this version from sourceforge = your-latest-version at this site (get-simple.info).
- next when I confirmed that this is 'latest' once, I've downloaded it, and install on my Ubuntu 12.04 box (with Apache and PHP - if you need version I can check it too, but it was default ubuntu installation).
- next: cache/history/cookies was cleared, firefox was restarted.
- exploit(s) work fine ;P

Let me know if you need more details. Mike has a directly contact to me, so you can also mail me (because, from now to tommorow I'll be offline).

Also: as my post at blog was about 'vulnerability' - let me know when patched version will be available cuz I want to add to post information about your work (as I described it for example for Concrete5 CMS or Joomla, etc etc...)

Cheers,
Jakub o/

HauntIT, I appreciate your assistance finding anything else.

I would love to know how your test setup got to this state that it is missing the salt.
Was this a fresh install, an upgrade from x -> x, I would like to nail down or at least identify who might be at risk.

Did you wipe your data directories at some point ?

Is this windows, do we have a path slash issue on install.php.

There are many variables and your exploit post does not detail configuration.

[shawn_a]

hmm, not sure we have code hosted at sourceforge. Official repo was google and is now github.
official download is on download page.

Any warnings on install page? Any red on health check ?

[shawn_a]

hauntIT
Can you post a dir listing of the files in your data/other also please.
also have you reinstalled again to see if its reproducible.

[shawn_a]

So it turns out that GS does not use
GSUSECUSTOMSALT as expected.

http://get-simple.info/wiki/security
"If you choose, you can alternatively replace the salt value you received at setup with something you create"
Is wrong. In fact both of those entries are misleading and wrong.

It is only used at install, and copied into the authorization.xml file instead of a randomly generated one.
So you must still check your installs for authorization.xml and make sure it contains an api key hash.

The above will not help you now unless you reinstall.

(note: I changed this behavior to match the wiki in SVN as of yesterday, GSUSECUSTOMSALT will always be used over authorization.xml )

Connie, can you update the DE post.

[HauntIT]

Hi shawn_a, two things:
1. you asked about my dirlist - no problem but not now because all of 'testing data/files' I have at my box at home - right now I'm@work.

2.

http://get-simple.info/wiki/security

Can I update my post at blog with this link?
It could helps few people imo.

(If you want: send me an email and I will send you back all infos you want )

Best regards,
Jakub

[shawn_a]

I would like to know how legitimate this cookie exploit is. I do not care about the others.

It seems it is an invalid exploit as we cannot reproduce.

It makes a critical assumption that the install is not using salted cookies.
We find that this is not the case, however it is possible if a file was removed as there is no fatal warnings and the fallback salt is indeed siteurl.

The lang post insertions is also not reproducible.
We use nonces for settings.php we also have a post['submitted'] evaluation.
Neither are present in your exploit. Even if CSRF protection was voluntarily turned off, it would still not work.

On a properly configured install that is indeed 3.1.2 this proof does not work.

Unless there is something essential missing from the public exploit feel free to pm me.
Also if you want to zip up that entire install and send it to me I would be willing to look at it.

[n00dles101]

Agreed this really is no threat to a standard install of GS312

Code as published will not work on a standard install of GetSimple 3.1.2

I have been able to get something working but I've had to delete the authorization.xml file and turn off GSNOCSRF in gsconfig and add the missing cookies and POST variables.

Author of the exploit also has some changes made to php.ini on his local build to turn off some security settings to help with his security testing. Quote: 'for example display_error or register_globals (etc,etc) set to 'On' (to get more errors durning pentest/src audit).'

AS for executing a command I've been unable to do this either. I have been able to include a rouge PHP file, but i'd have to have access to your server first to be able to do this.

So all in all I'm unconvinced that this 'exploit' poses any threat to GetSimple.

[shawn_a]

oh yeah with globals on anything is exploitable, I beleive globals is deprecated in 5.3
No-one should be running a server with register globals on.

[D.O.]

So, in short words, it was only a false allarm, right?

[n00dles101]

@D.O. Yes, looks like the exploit was only proof of concept and only works when security and certain conditions, which would not normally be set in a standard install are met.