Security Vulnerability (XINHA Editor)

rrjbeans

Quote from: doc on October 24, 2007, 10:54:49 PM
Note:
We have disabled the download links of the WYSIWYG editors Xinha and Tiny_MCE from the Add-ons repository.

Is TinyMCE still affected with this vulnerability?

Because according to the TinyMCE thread, John recently released a version marked "stable"...

Rosewood

Thank you for this notice.  It helped me confirm what I had suspected.  Quite a few of the sites we recently inherited (and had not given a full sec audit to) were being hacked.  I've confirmed this exploit as their point of entry.

berny

Hmmm, a bad thing:  :evil:
the vulnerability is in every Plugin, which allows to upload files!!!
Not only the ImageManger is a problem, also the InsertFile and other Plugins.

Therefore it seems to be better, to use the FCKEditor !!!

(i am sad, i liked xinha !!!)

doc

#5
Hello,

thanks for the fix. The posted fix does not resolve the problems that the module allows to bypass the groups/users permissions for the MEDIA folder set by WebsiteBaker. The solution we are after should be similar to what we have implemented for the FCKEditor module. In addition the existing WB module for Xinha needs to be updated to the latest Xinha release. However, this is one step into the right direction.

Regards Christian

berny

Therefore an Idea:

In the modules/xinha/xinha/plugins/ImageManager/config.inc.php insert after

// Include the config file
require('../../../../../config.php');

this code:

if(!$_SESSION['USER_ID']) {
   echo "please don´t hack";
   exit;
}

Its not realy a patch to observe the Vulnerability, but this code only allows registered Users to Uploade files.
Therfore unregistered User cannot uploade Files, in the most cases, this will be ok.

If someone will only Administrators (or a different Group of Users like "Registered") allow to upload, modify it like this:

$vulncheck = 0;
if($_SESSION['GROUP_NAME'] == "Administrators" OR $_SESSION['GROUP_NAME'] == "Registered") {
$vulncheck = 1;
}
if($vulncheck != 1) {
   echo "please don´t hack";
   exit;

}
Than only Administrators (or in this case Registered) can uploade files.


You only have to define the Usergroups, that can use this Module.

Maybe someone had an better Idea or will goon with this :?

(PS: Sorry for my english, its a long time ago, i learnd this in scool  :lol: )

doc

No, seems no one is willing to do the required fixed, therefore we removed Xinha from the download list.

Regards Christian

davon

Quote from: doc
At the moment no fixed version of Xinha is available

Are there any updates to expect in the near future about this?

doc

#1
Dear community,

the forum member jozycrew just informed me that the WebsiteBaker WYSIWYG module XINHA has a security vulnerability.

What does it mean?
The bug allows any user to upload files to the WB MEDIA directory. The user does not require access to the WB backend!!! Depending on the connector settings, it may be possible to upload .htaccess files or PHP files, which would allow any user to take over full control of your website (e.g. read/delete database, pages directory ...).

Solution:
At the moment no fixed version of Xinha is available (I do not use Xinha and do not know it´s architecture).

For the time beeing, we highly recommend to deinstall Xinha from your server and to switch over to the latest release of the FCKEditor version (v2.75).

Another solution is to use the .htaccess passwort protection (requires a Apache webserver and permissions to upload a .htaccess and .htpasswd file to the .../modules/xinha/ folder).

Please read the following information to learn more about creating a HTACCESS restriction. A online password generator can be found here.

Note:
We have disabled the download links of the WYSIWYG editors Xinha and Tiny_MCE from the Add-ons repository.

Sorry for any unconvenience caused by this.
Christian Sommer (doc)

P.S.: Attached is a basic htaccess.txt file. You need to replace the path to your needs and to rename the file to .htaccess
The required path can be found by adding the following command to a page of type code:
echo WB_PATH;.

[gelöscht durch Administrator]