PDA

View Full Version : osCMax Security Update - Arbitrary Upload Exploit



michael_s
09-25-2008, 10:17 PM
A new blog entry has been added:

osCMax Security Update - Arbitrary Upload Exploit


A security hole was found in osCMax 2.0 RC 3.0.1 that allows a remote attacker to upload files to your site via a browser.

MindTwist
09-26-2008, 01:18 AM
I just received 2-3h ago an email with this info. I guess everyone else on the forum must have received, just wanted to say that it is nice to be informed when this kind of vulnerabilities are found.
Thx!

ryoyin
09-26-2008, 01:23 AM
My company web site changed many code.
I don't think it is possible update to apply RC3.
Which files contain this kind of thread.
Or what can I do to prevent this kind of thread?

Thx for the notification.

MindTwist
09-26-2008, 02:42 AM
Follow the link michael_s posted, you only need to delete a few files from your default OSCMAX installation, so it really doesn't matter how much you have modified your store previously :D

trochia
09-26-2008, 02:45 AM
Update appreciated, but I would just like to double check something please.

Looking at the posted file paths/dirs to be removed, all mine seem to be installed under:

/filermanager/connectors ( this dir also includes /browsers )

Within

/FCKeditor/editor/filemanager/browser/default/connectors/*.*

In /browser/default/ (as described in e-mail alert and post), this dir contains (2) dirs of: /images & /js

I am just veriying the posted pathing against what I find/see please?

Thx...Jim

JohnW
09-26-2008, 07:13 AM
Hi Mike,

Do you have any additional info that you can share about this exploit? Are there certain files that were being uploaded or changed due to this exploit? My assumption is target files are always credit card related, database, or even email related.

MindTwist
09-26-2008, 07:20 AM
Arbitrary Upload Exploit (http://www.oscmax.com/node/251) - I didn't even check, I just deleted the unnedeed files, but I can assume that those included files are not needed for FCKeditor on OSCMAX/PHP, but could be used to upload anything/anywhere on your store.

Once someone does that, he can basically do anything they want with your host - download your complete store database, modify your store so when customers use a credit card, details are emailed to someone, upload a PHP script so your store is sending a gazilliom spam messages every day without you even noticing, etc.

trochia
09-26-2008, 07:20 AM
Yes, I was curious also as here's a 7 day search result:

- Google Search (http://www.google.com/search?hl=en&as_q=fckeditor+exploit&as_epq=&as_oq=&as_eq=&num=100&lr=&as_filetype=&ft=i&as_sitesearch=&as_qdr=w&as_rights=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=images)

And I see the new download, contains new folder names?

Jim

JohnW
09-26-2008, 07:39 AM
Honestly, I'm not a huge fan of FCKeditor anyway.

One advantage of having a dedicated server and being actively involved with it is things like email can be tightly monitored if things change so I don't think I've been exploited there. But, there's always possibilities for something I haven't considered.

My biggest fear is credit card related files being altered to compromise customer cc data but I only use one CC system and I watch those files pretty carefully.

michael_s
09-26-2008, 01:39 PM
The key file(s) to remove are the test.html files included with that version of fckeditor. They do not sanitize input and allow the upload process to occur. Your file structure for FCKeditor may differ from that posted in the security notice, but be sure to remove all the test.html file(s) in fckeditor.

The other directories/files that are removed were part of a default fckeditor 2.0 install, and should be removed as osCMax does not use them. We took the opportunity to get them out of the package once and for all.

trochia
09-26-2008, 03:42 PM
Michael,

Thank-you very much for the reply...as I wasn't sure....so if a back up DB was done, on it...and reload .2, all would be fine?

Jim

michael_s
09-26-2008, 05:37 PM
I do not recommend reinstalling all files. The updated download is primarily for new installs and the only difference is that it removes the insecure files.

The easiest way to do it would be to just delete the listed files. Second easiest would be to download the new package. Then, delete the FCKeditor dir from your live site, and upload the new FCKeditor dir from the download.

No installer needed, no messing with the database or any of your other files.

BobH
09-29-2008, 08:30 AM
I don't seem to be able to create links from images to pages within my site using the FCK editor within the Define Mainpage module since deleting the files/directories recommended to patch this security issue (I'm running osCMax v2.0 RC3-0-1). Has anyone else run into this?

Bob

trochia
09-29-2008, 09:02 AM
FWIW, I also ran into a problem...as I was using the CSS-Fluid template.. I left my database, removed the old version, used the new version...and some of it broke...So I reverted back to what I had.... and haven't "messed" with the manual deletion deal as of yet.

If anything, I think my way of going about it will be process of elimination, and just turning off folder/file permissions....one at a time...check the site after each...and go from there...instead of doing a MASS DELETE, etc.

Jim

michael_s
09-29-2008, 09:08 AM
The changes have no effect on define_mainpage or the function of fckeditor. If you are having problems, it is not related to removing the files.

The files that are removed are never used by osCMax (ever) or any of the fckeditor functions that osCMax uses, so they have no effect on anything other than being a security hole.

trochia
09-29-2008, 09:19 AM
Hi Michael, I am just reporting what happened to me..

1) Using FTP I deleted the DIR that cat was in.

2) I downloaded the latest, unzipped and wnet thru the install rouitine, using the existing DB still up there.

I thought about sending you a pm, but didn't want to bother you., but if time permits... I might for the heck of it...do it a again to see if the above process duplicates itself....and report back...as I couldn't figure out what effect it would have, other than I noticed difference in folder names as I reported/questioned earlier.

Jim

michael_s
09-29-2008, 09:25 AM
Via FTP, just delete the FCKeditor directory. Then upload the new FCKeditor directory. In my above post I recommended AGAINST doing what you describe. There is NO reason to reinstall the shop.

All you needed to do was remove the FCKeditor dir, then upload the new FCKeditor dir. That is it, a 2 minute operation.