Security Vulnerability Disclosures

Bug reports on core system for v1.2 STABLE only.

Security Vulnerability Disclosures

Postby markfoz » Sat Mar 17, 2012 11:15 am

Hi Smiffy - recent google results for possible vulverabilities in Razor CMS

Total rubbish in my opinion but you may want to take a look and reply

hxxp://www.exploit-db.com/exploits/18575/

They are actaully un publishing a category not deleting a page as claimed, and this should not be possible - unless they are logged in as admin right?

hxxp://www.exploit-db.com/exploits/18574/

Again total rubbish - so a user is going to add a malicious file to their own site and then run it through SSH? Unlikely - php uploads should still be allowed (but maybe check other file extentions) as they can be useful for the developer inside razor cms. PHP shell_exec() etc should be banned server side anyway as a security precaution.

hxxp://packetstormsecurity.org/files/10 ... osure.html

So people can read the files with the corect path to txt files - so what - they can read the information in the site pages if they do so desire or inside the browser source code view.

Whilst reporting genuine security concerns can be a good thing as it draws a developers attention to security holes, this could make people think razor cms is an unsecure cms when in fact it is one of the most secure I have seen and even encourage further hacking attempts.
markfoz
 
Posts: 113
Joined: Sun Aug 09, 2009 2:41 pm

Re: Security Vulnerability Disclosures

Postby smiffy6969 » Sat Mar 17, 2012 11:29 am

Hi,

Thanks for the heads up, I already am on the case and have released a snapshot to adminer for testing this morning.

The update will add in a new feature called security watchdog, it uses random signatures in ALL transactions. Any attempt to use an xss will require access to the one time only signature that is regenerated on every action you perform. I have tried all known xss exploit approaches and none get through period. The system is now sniffing every action performed and verifying it came from the correct source by using this autogenerated signature that is destroyed after one use.

To use an xss attack now you would need to know the signature for that single instance that the user has, which the odds of this happening are probably about the same as winning the lottery every day for a year.

Don't be fooled by the hype, these XSS exploits require the following steps to work

1) Some idiot sends a email or gets you to navigate to a page
2) You have to be logged in to your admin end at the same time you click the above
3) You have to have a page matching there exploit (page id)
4) They need to know your install path
5) They are not deleting anything, just unpublishing a page or turning a sidebar off (you can publish and turn on again)

They always make things sound worse than they are, never the less, I will be patching this early next week after testing of my new watchdog feature.

The other exploit is a file upload one, again you would have to....
1) Give someone login details
2) They login and upload file
3) They run a third party program they uploaded
4) They have access to your server

hmmmm, you gave them login details to your site, your an idiot im affraid pure and simple.

However, I am going to restrict file uploads and renames for users and admin accounts, super admin will still be able to upload php.

release next week people, don't panic, all good, just don't go looking on dodgy sites or clicking on dodgey emails whilst logged in to your account, but then this should be the same for nearly all web applications.

smiffy
smiffy6969
 
Posts: 1866
Joined: Sat May 24, 2008 8:18 am
Location: Loughborough, UK

Re: Security Vulnerability Disclosures

Postby smiffy6969 » Sat Mar 17, 2012 11:33 am

and remember

ALWAYS LOGOUT WHEN YOU ARE FINISHED

this is good internet practice for ANY website, I dread to think how many web applications are cracked because people to not log out.......


smiffy
smiffy6969
 
Posts: 1866
Joined: Sat May 24, 2008 8:18 am
Location: Loughborough, UK


Return to Bugs - Core V1.2 STABLE [DEPRECATED]

Who is online

Users browsing this forum: No registered users and 1 guest

cron