To the SMF team: deleting my post at this forum about this exploit only confirms that there is a vulnerability in SMF and you are trying to hide it. This is very irresponsible on your part. If this is in fact a working exploit, your users deserve to know their websites are in danger. Bad guy know that already for sure.
http://forum.joomla.org/viewtopic.php?f=267&t=340826
Hello osjak,
Thanks for airing your concerns.
I moved the topic and sent you a PM.
Quote from:
Hey! Osjak,
Thanks for the report, we're indeed aware of this and are yet to proove it won't work as the developers are yet to confirm. For the time being, I've moved the topic to the Staff boards.
Please, use the security report form next time ;)
http://www.simplemachines.org/about/security.php
-[n3rve]
Security vulnerabilities shouldn't be reported on the Support boards.
Thank you,
-[n3rve]
osjak, we do thank you for pointing this out, however constantly posting this on the forum aswell as on other sites does not make it easier for us to confirm the report, we have regulations for situations like this and that is to post a security report, the dev team aswell as team members will use there knowledge to recreate the issues and if it is felt needed a patch will be released, can I please ask you hold on and understand that we are working on it and constant posting is not helping anyone.
[n3rve], Runic Warrior,
Thank you for taking note of this topic and publicly responding.
Security form makes sense when I am the original person who found a vulnerability. In that case submitting my discovery privately keeps it from getting in wrong hands. What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.
osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is, we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.
Now I have not checked the topic regarding this exploit yet today however I do know by looking at the posts it is being discussed alot and if it is felt a patch ios needed then one will be released.
Quote from: Runic Warrior on November 05, 2008, 08:43:25 AM
osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is,
You look at users as fragile creatures that need an informational greenhouse to survive. I doubt that this is what an average forum admin is, otherwise he/she would not be an admin for long. You call it "potential fear", I call it concern. A concerned but prepared admin is in better position than an admin with a cracked site that has no concerns. It is okay for an admin to be concerned of his forum security. I am concerned all the time, that's why I am subscribed to sites like milw0rm - to be aware of dangerous developments early enough before they hit my sites.
Quote from: Runic Warrior on November 05, 2008, 08:43:25 AM
we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.
This is great that SMF team is working on it and I will be waiting patiently for the outcome. Thank you!
Quote from: osjak on November 05, 2008, 09:03:08 AM
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.
This is true but they have been cases were malicious users (not necessarily hackers) take advantage of such exploits and try to harm other users, I understand your concerns but I really didn't see it necessary to post this after I had sent the PM.
Regardless,
As a temporary measure, you should rename your attachments directory to something else (preferably random alpha characters) and also ensure that the Admin CP has the correct directory name in 'Attachments and Avatars'.
Should you wish to go one step further then you could temporarily comment out the packages line from within action array inside the index.php file in your SMF dir.
Change lines :
'packageget' => array('PackageGet.php', 'PackageGet'),
'packages' => array('Packages.php', 'Packages'),
// 'packageget' => array('PackageGet.php', 'PackageGet'),
// 'packages' => array('Packages.php', 'Packages'),
-[n3rve]
[n3rve], excellent suggestions! Thank you!
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?
By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
The developers know about it, and it is being worked on. They need to find the source of the issue first, so a real solution is made instead of something that just hides the problem.
Quote from: osjak on November 05, 2008, 08:36:05 AM
What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.
I too would love to get informed by simplemachines itself about such security issues. So I can inform the group of not so experienced users and admins, which will never get these kind of informations, if not posted from you or me.
Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?
By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
I've seen that; any idea if disabling the theme changing and avatars uploading/attachments will do the job?
From what I have seen in addition to the above suggestion, it would also be an idea to comment out the themes and jsoption lines from the action array in the same way packages and packageget was done.
AdminCP
Attachments and Avatars
Encrypt stored filenames
should be activated too,it will also encrypt the name of the attachments and what has to mean,that we can not execute file,when we just type
http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename]
that would not work,if we activate the option from above
so how can we secure our forum?
Quote from: dangerboy on November 06, 2008, 11:19:45 AM
so how can we secure our forum?
We're getting ready for 1.1.7, temporarily, you can do as stated in this post
http://www.simplemachines.org/community/index.php?topic=272393.msg1783614#msg1783614
-[n3rve]
Note that there also exists second exploit:
Quote
The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.
Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.
It requires fix in Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off
I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
Quote from: yaax on November 06, 2008, 12:45:20 PM
Note that there also exists second exploit:
Quote
The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.
Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.
It requires fix in Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off
I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
yaax, yes I was also trying to point that out:
Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?
By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
Unfortunately we have to keep talking in code here, even though as you already mentioned all other sites are full of links to actual exploits and any bad-intended person can easily fin them. Anyway, let's just hope that 1.1.7 will address both issues.
Can we also ask that there will be instructions on how to update code manually? My sites are modified too heavily to be updated conventional way.
Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?
By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
In php you have three kinds of magic_quotes - which one need to be ON?
You have:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
I have magic_quotes_gpc as ON, but not sure regarding all others.
All, we are aware of both exploits and we will be pushing out a security patch as soon as it can be implemented and tested to ensure that the patches actually work for both issues.
Our goal is currently to have that patch release out by the end of the weekend, hopefully at the latest. Normally these issues are patched within 48-72 hours after discovery, however due to the one-two punch and moderate to severe nature of these two it will be a bit longer to ensure that we can properly secure those who depend on our software.
A couple of team members have pointed out in this topic a small number of interim fixes to guard against these. I would reccommend implementing these on a temporary basis to ensure that you are secured.
Thanks for your patience and understanding!
metallica48423
Lead Support Specialist
Quote from: yaax on November 06, 2008, 02:31:53 PM
In php you have three kinds of magic_quotes - which one need to be ON?
You have:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
I have magic_quotes_gpc as ON, but not sure regarding all others.
This is what I have:
admin@www1:~$ grep 'magic_quotes' /etc/php5/apache2/php.ini
magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off
This settings seemed to prevent the exploit. I'm not an expert though, so take this with a grain of salt. I also implemented the advise from n3rve several posts above (http://www.simplemachines.org/community/index.php?topic=272393.msg1783614#msg1783614).
metallica48423, thank you for keeping us updated!
The magic_quotes_gpc setting should be the only one you need on.
I tested both exploits, and the package manager one doesn't work as advertised (you need to modify it a bit to get it working), but the theme one does work easily.
Note that 2.0 is not currently affected by either exploit as they are currently. So, at this point, 2.0b4 is unaffected. After working on the 1.1 issues, we will investigate the same areas in 2.0 to make sure they don't have a similar issue.
Edit: Also, the main funciton being used in the exploits to actually run things is passthru(). SMF doesn't use this function, so you can try disabling it in PHP if you have the access to do so. It won't stop the exploit, but should make it harder to get a payload running.
Quote from: osjak on November 06, 2008, 02:18:10 PM
Can we also ask that there will be instructions on how to update code manually? My sites are modified too heavily to be updated conventional way.
There is a topic in the Install and Upgrade Help (http://www.simplemachines.org/community/index.php?board=10.0) board where the Manual instructions are posted, I'll update the topic shortly after the release.
-[n3rve]
Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.
Quote from: D M G on November 07, 2008, 08:18:53 PM
Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.
Fearmongers??? Let me remind you this is the only topic where this issue has been addressed by SMF team for everyone's (yours also) benefit. May be you don't care about your site's security but I certainly appreciate those suggestions from n3rve that helped everyone to wait for the release of 1.1.7 without losing their websites.
Laughable. Really. Don't tell me what I know and don't know about securing my site.
You could have handled this easily by informing the proper people, they even have a handy form to do so. Instead you came on here yelling and making those who don't know a whole lot except how to login to their board and not much else panic and fluster. It's pretty ignorant.
I'm sorry for getting you into panic mode. My intent was to get information on how to secure SMF for myself and to those ho care. If you don't care, you may laugh all you want, up until the point when your website is taken out by a script kiddie.
Oh I didn't panic, you're deliberately misreading me but I'd expect that from someone of your calibre.
Guys, please take this out of these boards. we have a policy of respect and fairness here.
Nobody's right or wrong. This topic was not the first nor the last notification we got on the issue so fortunately it was already under ways when this came up.
The important thing is key -- we need to know about these things to fix them.
Quote from: D M G on November 07, 2008, 08:18:53 PM
Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.
^^ :( typical.
"User who raised legitimate concern attacked by "rabid fanboy".
SMF, as a commercial enterprise, zealously guards it's reputation, sometimes I think, at the expense of transparency and openness.
Regarding osjak's post, I'm not a fan of posting direct links to exploits, without additional narrative, primarily because the risk is not 'exposing exploits to hackers whom may already be aware of them' but rather disseminating hacker info to disgruntled forum members who have been banned, disciplined or are just plain "idle hands assholes"
However, I would have hoped that when news of the exploit was first released, SMF gave the exploit a bit more coverage, say on the front page.
ie. (https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.joomla.org%2Fimages%2Fthumbs%2Fimages%2Fstories%2Fsecurity_release_80x80.png&hash=d818534ec678e92d25f7755708d94b7e7d690979)
and immediately and prominently pointing to the initial work around, to be implemented in the immediate hours before a sanctioned update is available.
There is something creepily Orwellian with the 'disappearing' of posts, almost as if we are more concerned with perception management and not security. Heck, I'm not asking nor even expecting SMF to be totally secure! The current White House is as paranoid and closed as they come, and even they got hacked, so yeah, sh*t happens, but dont cover it up, missquote/missrepresent and downplay issues.