Security issue, please make the following change

Security issue, please make the following change

Postby jondaley on Sat Mar 29, 2008 1:19 pm

This security issue affects any 1.2.x of LifeType prior to 1.2.7 AND allow resource uploads AND has untrusted users with upload access AND are not using encoded filenames.

The forbidden_upload variable is checked in a case-sensitive manner, which means that capitalized extensions are not blocked using the default settings.

The safest setting is to turn off resource uploads until 1.2.7 can be verified and released.

Next safest is to configure upload_allowed_files to the list of files you want to allow. This setting is also case-sensitive, so you might want to use:
*.jpg *.JPG *.png *.PNG *.gif *.GIF *.bmp *.BMP


Next safest is to configure your upload_forbidden_files with all versions of capitalized extensions. Note, that this method is kind of hard, since you would need to check *.pHp *.pHP etc.

I have not tested this exploit on many systems, so it is possible that your server is not affected by this (say, if test.PHP doesn't actually execute, but simply shows the contents of the file). If your server allows capitalized PHP files to run, you should check your apache logs to see if a hacker uploaded a file into your gallery. Note, that it isn't enough to only check your filesystem for the presence of these files, since the script might have been moved later.
Last edited by jondaley on Wed Jan 27, 2010 8:56 am, edited 2 times in total.
Reason: I think this one was on top long enough. I know it's serious but it also kind of looks bad, if we have it on top for ever. I think it should be fixed with 1.2.8 right? cheers, reto
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Re: Security issue, please make the following change

Postby jondaley on Sat Mar 29, 2008 1:26 pm

Note that if you are on the subversion 1.2 development branch, this problem is fixed at least on my server. Please test it if you can and let me know if it looks good on your system as well.
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Re: Security issue, please make the following change

Postby jondaley on Sun Mar 30, 2008 8:44 am

We have verified that Apache uses case insensitive matching in the AddType and SetHandler methods, so *.PHP will be executable on your server. However, the <Files *.php> entry in the gallery .htaccess is parsed in a case-sensitive manner.

http://bugs.lifetype.net/view.php?id=1477
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Re: Security issue, please make the following change

Postby jondaley on Sun Mar 30, 2008 8:33 pm

1.2.7 has been tested and released. See the official announcement here.
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Re: Security issue, please make the following change

Postby thestroller on Wed Apr 02, 2008 8:59 am

Hello Jon,

Can you show which files were modified to fix this error? Because I need more time to upgrade to 1.2.7 version. I have put your .htaccess to the gallery folder but there is no change. Everyone can execute the PHP file when click the "Download Link".

Thank you
Mai Minh
thestroller
 
Posts: 80
Joined: Fri Sep 29, 2006 12:05 am

Re: Security issue, please make the following change

Postby jondaley on Wed Apr 02, 2008 2:48 pm

The easiest way would be to set upload_allowed_files.

I think this is a good list. You should probably check the upgrade.zip file and see if I missed anything.
M /plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
M /plog/branches/lifetype-1.2/class/misc/glob.class.php
M /plog/branches/lifetype-1.2/class/misc/integritychecker.class.php
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Re: Security issue, please make the following change

Postby thestroller on Wed Apr 02, 2008 4:02 pm

Hello Jon,
Thanks for your reply. But I found out there are too much extensions must be added to the allow list. So I had upgraded to the LT 1.2.7 version.

And I get same error with some one in the forum (cannot login with user 'admin'). Then I remove the 'admin' from the 'not allowed username list' and now I can login with 'admin'.

Thank you
thestroller
 
Posts: 80
Joined: Fri Sep 29, 2006 12:05 am

Re: Security issue, please make the following change

Postby jondaley on Wed Apr 02, 2008 10:02 pm

Hrm, I see that admin is on the list by default. I am not sure what to do about that. I guess the first thing is to make sure that new installations can't use the name admin and get themselves into the same place as you. If it correctly blocks it during the installation, I am not sure if there is anything to do - other than those folks with admin/www/etc usernames just have to deal with it during this upgrade.
jondaley
Lifetype Expert
 
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch


Return to Announcements

cron