Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
r184 problems
#1
Hello,
I've tried the development version r184, here are the bugs I've encountered.

Edit: the forum cut my message in half, so I'm putting it into the attachment
Reply
#2
tankmiche Wrote:Please excuse me for this post, as it is not in any way intended to be offensive.
No way a bug report is going to be offensive. We want to fix bugs just as much as anyone else.

tankmiche Wrote:I definitely can help fixing a new secure contact form, which it appears to be gone with r184.
I you want a contact form, create a plugin. We decided some time ago that we would no longer be shipping a contact form within the core at all.

tankmiche Wrote:In data/uploads/.htaccess:
- Line "Options -Indexes" makes every image gives an "error 500: server misconfiguration". Probably it's just my hosting, though.
Very probably your server, although I’ve never encountered an Apache server that was unable to use “Options -Indexes” though. (It disables the server from displaying all the content of data/uploads/ in case I visit the folder in my browser.)

tankmiche Wrote:In admin/components.php:
- Found from http://seclists.org/bugtraq/2010/May/234 the PoC for XSS still works on the latest dev version. Probably needs a nonce?
Weird, I thought Chris had this one fixed some time ago. I’ll look into it again, thanks for bringing it to our attention.

tankmiche Wrote:In admin/inc/xss.php:
I can see the purpose of this file and XSS protection, though I don't understand the need of regexes. Why not directly sanitizing user input with htmlspecialchars?
Because htmlspecialchars disables the use of HTML. The function is used for error messages mostly at the moment, and in those we want to support as many HTML as possible (links and inline elements mostly). We only want to strip out scripts. This function exists in a seperate file (xss.php) so it will be easier to issue hot fixes in the future if we figure out better ways to sanitise strings or find something else that has to be stripped.

tankmiche Wrote:In admin/upload.php:
Lack of user input sanitization which made my browser nearly crash (sic). I uploaded a file named *lessthan*script*greaterthan* alert('test');. This is no major problem, as I basically just wanted to test the vulnerability, but definitely a good proof of the need to sanitize user input everywhere.
Never tried such weird filename, I better give it a try now.

tankmiche Wrote:I couldn't submit the topic with the real chars that i've called *lessthan* and *greaterthan* here, as the antispam question doesn't sanitize input and they broke the input form...
Just try again. You will not always get the antispam question and so you should be able to post it in the end.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply
#3
Thanks for the quick reply.

One last thing: if I were to know your getSimple website is located at example.com/gs I could easily embed a small image/iframe/whatever in this very post, with the address http://example.com/gs/admin/backups.php?deleteall .

It won't happen for every other user, but by visiting this page you'll delete every backup, probably not even nocicing the whole operation.

The only viable solution is to implement https://secure.wikimedia.org/wikipedia/e...phic_nonce. Since you already have user and global salts it's just a matter of putting an hash of them (maybe also including REMOTE_ADDR) for verification in every administrative form.
Reply
#4
Ok, I have added nonces in every form or link that does modify the system and tested possibly all of them (I think).
There's no point in changing the code for my website only, so I'm sharing my modifications.

The nonce functions are defined in admin/inc/nonce.php, get_nonce and check_nonce.
The first is called when outputting a form or link; the latter is used for verification after a form is submitted. get_nonce outputs a sha1 hash containing:
* $SALT and $USR
* Ip address
* Action and file responsible for that action

Future development may introduce time-based nonces somehow.

I see some forms already had a protection against CSRF, the variable $SESSIONHASH defined in admin/inc/common.php: I haven't touched them as for now, but it would be better in the future (if you want to integrate my edits) to replace them with my nonce functions. I also haven't edited admin/download.php as I don't know which files are downloaded through there. Adding the nonce protection is easy, if needed.

In attachment is the $( svn diff ) from the latest checkout (r184). Of course it's a derivative work and thus released under the same GPLv3 license as GetSimple.

Edit: now nonce.php included in the diff
Reply
#5
Here's the nonce.php, I thought it would be included in the diff...
Reply
#6
I want to say right from the beginning... I LOVE GetSimple! I have tried Joomla (too complicated), Silverstripe (complicated and prone to break), ModX (couldn't even install it [yet]) and now, GetSimple. While it may not be sufficiently robust for a large corporate website, for a lot of small/medium-sized businesses, and almost any personal website, it is absolutely great -- IMHO. I wish I were a php-programmer so that I could create the plugins I'd like to see/have (e.g. a contact form), but as I am not, I'll just have to work with those who are and hope they'll try to develop for the Windows environment also.

Not sure how effective a beta-tester I'll be, but I'm willing to try. I design websites, but I'm just barely learning jquery and don't really program in php at all, although I can generally follow the logic -- possibly from my C++ and VB days.

One thing that I may be able to offer that there seem to be few of is that I'm running Apache 2.14 on Windows 7.

Here is my full server token line: [Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1]

And a list of all mods installed: [mod_apreq2.c, mod_perl.c, mod_php5.c, mod_autoindex_color.c, mod_status.c, mod_ssl.c, mod_setenvif.c, mod_rewrite.c, mod_negotiation.c, mod_mime.c, mod_log_config.c, mod_isapi.c, mod_info.c, mod_include.c, mod_headers.c, mod_env.c, mod_dir.c, mod_dav_lock.c, mod_dav_fs.c, mod_dav.c, mod_cgi.c, mod_authz_user.c, mod_authz_host.c, mod_authz_groupfile.c, mod_authz_default.c, mod_authn_file.c, mod_authn_default.c, mod_auth_digest.c, mod_auth_basic.c, mod_asis.c, mod_alias.c, mod_actions.c, mod_so.c, http_core.c, mpm_winnt.c, mod_win32.c, core.c]

If any of this helps you. Also, this server is in my home office so, if need be, I can set up a separate v-host and install another copy of GS in a sub-domain so that you can access it to your heart's content. Since I am not sure of the security of your back-end, if I were to make the back-end available to you, I would only do so to a very limited few and would request that we set-up Access/Password via private email. I would prefer that you not make those credentials available to just anybody, but if it will help in your beta testing I would be willing to take that risk.

Here's one of the first things (well, actually second, after noticing that the in-built contact capability was gone and which I am VERY, very sorry to see disappear), if one has uploaded, in my case, photos with spaces in the file name, it seems to give GS fits. Here are the errors I get when this happens (although, I must say, I'm impressed that it recovers so nicely):

Warning: getimagesize(../data/uploads/Kris+-+Metro+Station.jpg) [function.getimagesize]: failed to open stream: No such file or directory in C:\xampp\htdocs\trina\admin\image.php on line 47

Warning: getimagesize(../data/thumbs/thumbnail.Kris+-+Metro+Station.jpg) [function.getimagesize]: failed to open stream: No such file or directory in C:\xampp\htdocs\trina\admin\image.php on line 51

As I discover more, or have other questions, I'll be in touch.

Thanks again for the great CMS!
WebFXWorld
Reply
#7
Thanks tankmiche. I just finished applying the patches you sent - and will let you know if i run into any problems.
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#8
tankmiche - all the patch edits work flawlessly. thanks! I will be integrating them into the core shortly after a few more rounds of testing.
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#9
@WebFXWorld - thanks for the heads up on that error. I got that fixed and it will be in the next (very soon) release
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#10
ccagle8 Wrote:tankmiche - all the patch edits work flawlessly. thanks! I will be integrating them into the core shortly after a few more rounds of testing.

I'm glad to see you found them useful. Bug me if you found problems though!
Reply




Users browsing this thread: 1 Guest(s)