WB 2.8.3-SP3 Vulnerabilities

[BlackBird]

I can only tell for the admin.php, which is (in SP5) exactly the one I provided for download some posts above.

[Tango]

Hello,

Were the above mentioned vulnerabilities fixed in SP5, as I'm not able to test right now?

[BlackBird]

Unfortunately I introduced a new bug with the admin.php that fixes the XSS vulnerabilities. It checks for $page_id and $section_id in a manner that both must be set, but some backend actions - like drag&drop sorting of the page tree - only set one. Fix attached. I'm sorry for this.

@Boardadmins: Please remove the buggy version attached above. Thank you.

[BlackBird]

Concerning the HTTP RESPONSE SPLITTING:

Um dieser Angriffssart vorzubeugen, wurde in PHP-Version 5.1.2 die Funktion zum Senden von Header-Daten überarbeitet. Attacken wie eben beschrieben sind deswegen auf aktuellen PHP-Systemen nicht mehr durchführbar.

(Sorry, German)

This means: If you have PHP >= 5.1.2 installed, the PHP itself will prevent this type of attack.

Summary:

• To fix the XSS vulnerabilities, replace the ./modules/admin.php with the one I attached above.
• Don't fear the HTTP RESPONSE SPLITTING vulnerability if you have PHP >= 5.1.2; upgrade soon if you haven't!
• Uninstall FCKEditor and install CKEditor instead.

This will probably NOT fix ALL vulnerabilities (this is impossible), but helps to fix the ones mentioned by the thread initiator.

[BlackBird]

Try this fix. (Place file in ./modules folder.)

Please note that other modules that use the admin.php may have the same vulnerability as the News module. So I'd suggest to replace the file also if you don't have "News" installed anymore.

[BlackBird]

/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1&section_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0

The problem is located in /wb/modules/admin.php. There is a "fix" in that file, but it is deactivated.

Code Select Expand


/*
// be sure is is numeric
$page_id = intval($page_id);
$section_id = intval($section_id);
*/


Remove the /* and */ as a "quick and dirty" fix. (In fact it is not a real "fix", as the params should be validated to catch (=log) XSS attacks, but it's still better than nothing...)

[BlackBird]

Note: The screenshots.zip provided by "Tango" cannot be opened.

SQL Injection: /wb/admin/pages/modify.php?page_id=1

The user is forwarded to the login page if he's not logged in.


I checked the others against fresh installed WB SP 4:

/wb/admin/admintools/tool.php?tool=captcha_control&6d442"><script>alert(1)</script>8e3b12642a8=1

Doesn't work for me.

/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1&section_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0

Still works!

/wb/modules/news/add_post.php?page_id=1&section_id=f953a"><script>alert(1)</script>4ddf3369c1f

Still works!

/wb/modules/news/modify_group.php?page_id=1&section_id=%008cf03"><script>alert(1)</script>2680504c3ec&group_id=62be99873b33d1d3

Still works!

/wb/modules/news/modify_post.php?page_id=1&section_id=%003874a<script>alert(1)</script>4194d511605&post_id=db89943875a2db52

Still works!

/wb/modules/news/modify_settings.php?page_id=1&section_id=%008b2f4"><script>alert(1)</script>bdc8b3919b5

Still works!

The above are XSS vulnerabilities. The user is forwarded to the login page if he's not logged in.

[DarkViper]

To all Others:
That vulnerability was reported first time in end of 2009!!
Microsoft itself wrote, that attacks are possible only on MS-IIS-Servers witch are in a non-default, unsafe configuration.

From all of this Linux/Apache servers are NOT touched.

Manuela

[Yetiie]

As I understood you yourself claim that you job is to develop WB as a CMS?
And the target of the WB Leadership is (as I heard from one leader directly this year) is, to make WB the best CMS of the world.

Didn't I get this right?


enough is enough... We have enough work so that we can very well give up your taunts.  May be you think about the next 14 days.  Manuela

[DarkViper]

Somtimes it helps to look around...

original: New Reports of a Vulnerability in IIS from MSRC Team, 27 Dec 2009

Hi everyone,
On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.

What's our job?  Develop WB and hold our infrastructure up to running....   or to repair others misconfigurated IIS?
Am sure, each software has lots of vulnerabilities if it's used on wrong configurated servers.
WebsiteBaker is developed to run in a standard Linux-Apache-Mysql-PHP Environment and maybe.. only maybe, on your own risk, it can run in other environments too.

Manuela

[Yetiie]

Well, - you got it

And the question is as written very easy:
Seems very strange (hard to believe), wondering and asking for correction or reasons.

[BlackBird]

http://project.websitebaker.org/projects/wb28x/repository/show/branches/2.8.x/wb/modules

[Gast]

why the next WB version 2.8.4 is brought to the users unsual from modern software standards with known unsafe modules and what the real (very important?) reasons for this strange strategy are?

looks, that you have brand new informations about the the next wb-version
Cool, tell us a little more

[Yetiie]

In the last time there had been some official statements which irritated me. On of this irritating statements concerns the vulnerability of the soon coming WB version 2.8.4. and I am not sure if I understand the situation, planning and strategy right.

As I understand this posting:
http://forum.WebsiteBaker.org/index.php/topic,28383.0.html

the leading developer @darkviper announce that she official confirm that she knews, that using the module fckeditor is not safe on all systems WB is built for. And as I understand it right she official announce that this vulnerability will not be fixed for WB? (Please correct me if I got it wrong!)



Well. Version 2.8.3 is a Version with limited lifetime now. Changing standard modules within a version may be problematic. But as I appreciated the soon coming Version 2.8.4 is still planned with the same unsave module and the same (obviously) known security problem.

From different discussions in the forum over the last two years (or more?) the wb development team know, that the fck editor is not longer supported by the authors of this special software and the authors themselves recommend not to use this outdated software any longer. A working alternative is prepared and working for/in WB for years now: CKEditor!

The normal way of software development in such situations is to replace old and not longer supported unsafe software modules with the ready developed and working follow-up module. As this will not happen I wonder myself(!) if there are personal reasons to hold on outdated and unsure software or if it is only a non-appreciation of the way modern software is developed (which I cannot believe myself and don't(!) want to assume for the WB team!!!!).




@darkviper

As main developer please could you explain the reason why the next WB version 2.8.4 is brought to the users unsual from modern software standards with known unsafe modules and what the real (very important?) reasons for this strange strategy are?

Or please - if I don't understand the situation right and the fck will be replaced by ckeditor or another safe editor module in the next WB version – correct me and tell us what will happen. Or will there maybe be a different support for WB on different platforms? Which platforms will be supported safe platform and which platforms will not be (longer?) supported?

Thank you for further information to the future of WB. And I am looking forward for a save version

[Yetiie]

@darkviper

In this thread http://forum.WebsiteBaker.org/index.php/topic,28403.0.html
you claim you want to support most different OS-Systems and argues, that you because of this are not able (or willing?) to support a property (spaces in names) which other modern systems do as standard.

This was within about ten days after you explained in this(!) thread here(!), that you won't care about a vulnerability of a WB standard module which only is unsafe in installations different from Linux/Apache:

All PHP related vulnerabilities are fixed in WB-2.8.3-SP4
The one of FCK will be fixed soon also... but there is no danger for sever running apache under linux: "The vulnerability requires that the remote server be running IIS". And remember: WB is developed to run under Linux/Apache primary.

Sorry for it. But personal(!) to me(!) this seems as a very personal behaviour of a developer who is responsible for a complete CMS and far away from standards modern software is managed. And it is really hard to believe, that this is/could be the official strategy of WB. Maybe I got something wrong?



Please could you explain your/the official policy for WB:

Is there a consisting planning to the project which determines which systems are supported and which systems are official not supported or which systems are only supported in a restricted manner? Which systems are safe and which systems are not managed to be safe?

And as there come up some questions about a systematic management to fix vulnerabilities the last days in different threads and leads to some irritations: has the development team a strategy to manage known vulnerabilities and in which time are known problems normally fixed by Update-fixes? The irritating situation is, that there could be come up the impression, that there seems not to be such a strategy?


Thank you for additional information/explanations which are very helpful to know in which situation WB could/should be used (even in professional contexts).

[instantflorian]

Hi,

the attachment Screenshots.zip seems not to be a valid zip file (I can't extract it).

After spending approx 10 hours for updating 90 sites to SP4 the last days I'm very, very interested wether there are still known but non-fixed vulnerabilities as Tango says or not. If so, I would be pleased to get knowledge about the reason why the securty flaws are ignored by the development team too.

[kurt peter eibes]

Wo kann ich jetzt ein SP 4 oder 5 downloaden?

http://wiki.websitebaker.org/doku.php/downloads

Vielen Dank

[Ruud]

Wo kann ich jetzt ein SP 4 oder 5 downloaden?

http://wiki.websitebaker.org/doku.php/downloads

[kurt peter eibes]

Wo kann ich jetzt ein SP 4 oder 5 downloaden?

[Tango]

All PHP related vulnerabilities are fixed in WB-2.8.3-SP4
The one of FCK will be fixed soon also... but there is no danger for sever running apache under linux: "The vulnerability requires that the remote server be running IIS". And remember: WB is developed to run under Linux/Apache primary.

Manuela

I'm sorry Manuela, but you know it and i know it, that no vulnerabilities were fixed in WB 2.8.3 SP4.
After your reply, being the paranoid guy that i am, i ran some tests and as you can see, there are the same flaws as in SP3. - The results are attached below.

So waiting for SP5, if it ever comes...

Here are the resources again:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9242#VulnChangeHistoryDiv
https://www.exploit-db.com/exploits/35277/
http://www.cvedetails.com/vulnerability-list/vendor_id-14999/WebsiteBaker.html

Cheers!

[Tango]

Alright.
Thank you!

[DarkViper]

All PHP related vulnerabilities are fixed in WB-2.8.3-SP4
The one of FCK will be fixed soon also... but there is no danger for sever running apache under linux: "The vulnerability requires that the remote server be running IIS". And remember: WB is developed to run under Linux/Apache primary.

Manuela

[Tango]

Hello,

I was checking to see how secure is WebsiteBaker and i found this: https://www.exploit-db.com/exploits/35277/
I also found a vulnerability related to FCKeditor 2.6.6 as it follows: http://www.securityfocus.com/archive/1/513422/30/0/threaded

So, are these vulnerabilities still present in WB 2.8.3-SP4?
Thanks