Security Vulnerability (Backup Module in WB Core)

Argos

Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

Argos

Thanks John. Based on that info, I used the SQL query to work directly in phpMyAdmin:
delete FROM addons WHERE name = 'backup'. I just went through all my sites on the server in Plesk, deleted the backup folder and ran the SQL query in phpMyAdmin. It actually went quite fast.
Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

pcwacht

easy steps

1 remove modules/backup through ftp
2 create page type codesection visbility registred (to avoid regular users)
- in the code section paste:

$results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'");

3 call the newly created page - this will start the php code wich will remove the backup entry in the addons list
4 remove the page


Have fun,
John
[url="http://www.ictwacht.nl"]http://www.ictwacht.nl[/url] = Dutch ICT info
[url="http://www.pcwacht.nl"]http://www.pcwacht.nl[/url] = My first
both still work in progress, since years.....

Argos

#4
Quote from: Waldschwein on March 27, 2010, 01:18:59 PM
I works on all my servers - just deinstall via Add-on "Modul deinstallation"...
That's strange. Core modules and templates cannot be uinstalled that way normally. You get the error "Cannot be uninstalled" or something like that.

Quote
Perhaps it's necessary on some server configurations to delete the _wbinstallation_/modules/backup Folder via FTP-browser.
That leaves the Backup function in the Admin Tools page. Of course it just goes to an ampty page then, but it's not a very elegant solution, and clients with admin rights may wonder why the backup function doesn't work.

Quote
Another option would be to insert a ".htaccess" (works only on Apache!) password protection inside modules/backup folder.
That also leaves the backup function in the Admin Tools.

The only solution I can come up with, with my limited PHP skills is to first manually remove the /modules/backup folder via FTP, and then upload a modified /admin/admintools/index.php file with a changed line 45:


$results = $database->query("SELECT * FROM ".TABLE_PREFIX."addons WHERE type = 'module' AND name != 'backup' AND function = 'tool' order by name");



That way the (empty) Backup function doesn't show anymore in the Admintools. But it would be better if someone could create a better option to uninstall the module without the user right limitation.
Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

Waldschwein

I works on all my servers - just deinstall via Add-on "Modul deinstallation"...
Perhaps it's necessary on some server configurations to delete the _wbinstallation_/modules/backup Folder via FTP-browser.
Another option would be to insert a ".htaccess" (works only on Apache!) password protection inside modules/backup folder.

Yours Michael


Argos

And how exactly can we uninstall a core module? Using the Add-on uninstall function does not work...
Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

Waldschwein

#1
A security vulnerability in the backup module in WebsiteBaker Core CMS has been found.
- Extended information: Everybody can use the backup module from anywhere and download the backup directly on every PC the "exploiter" likes without any noticing by you.

Affected systems
- WebsiteBaker version: 2.7, 2.8.0, 2.8.1 (until SVN revision number 1308).
- All installations with the installation of the Backup module are affected. The Backup module is part of WebsiteBaker Core and installed per default on all installations!

Vulnerability Impact
- An exploit was being published on "known exploit sites".
- With this exploit everybody can download the whole database, crack the password and overtake the WebsiteBaker installation.

Maximum Severity Rating
- Highest (for systems matching all of the conditions under the Affected Systems section).
- None (for all other systems, e.g. with deinstallated Backup module and version 2.6.7 and lower).

Instructions how to patch
- There is no supported patch available yet. Deinstall the backup module immediately.
- Please change all passwords in your WebsiteBaker installations that are affected. Also let all your users know.

Further Q&A

Q: How can I deinstall the backup module?

A: There are different ways - unfortunately it depends on your server configuration.
First way:

  1.      Remove modules/backup with your FTP-browser
  2.      Create a new section in "Pages" from type "Code" with visbility registered (to avoid regular users)
     In the code section paste:
     Code:$results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'");

  3.      Call the newly created page - this will start the php code wich will remove the backup entry in the addons list
  4.      Remove the page with the Code section

Second way:
Just deinstall the "backup" module in "Add-ons" -> "Modules" -> "deinstall module".

Q: Why is the backup module not being fixed?
A: The module is called deprecated from now on by the QA-Team. That has several reasons: It is not really useful to backup the complete WB-Installation as it has no possibility to upload easily the backup, and it has further bugs with modern databases.

Q: Will there be a new method of backup?
A: Perhaps in the future there will be - but that is not at all for sure. From SVN 1308 (2.8.1) on there won't be any official backup module available for WebsiteBaker until we let you know.

Q: How can I backup WebsiteBaker?
A: For sure your webhost has some database management system, e.g. PhpMyAdmin. Please use this system(s) to backup your database. Also make sure to backup all other FTP-data like /pages, /media, Modules & Templates and so on.

Acknowledgements
We want to thank pelotillehuito and FrankH for reporting the exploit and the QA-team for the quick & clear reaction.

Michael Tenschert (WebsiteBaker Homepage Team)