Need some help with minical plugin

Security of SPIP 2.0.8

Hi all,

I'm currently trying to clean up a client's site running SPIP 2.0.8  
[13982] which was attacked and had links to malware inserted. The  
attacker was able (apparently without FTP access or a SPIP author  
account) to modify the site by convincing SPIP to run the `/ecrire/? 
exec=install` installation wizard again and using this to switch to an  
SQLite database (rather than the MySQL server it *was* using).

The attack seems to have taken place over a few days and shows signs  
of being a manual. It also looks as though the attacker may be  
exploiting bugs in SPIP's path handling to write to files it ought not  
to write.

I'm still working to determine how the attack worked and to find some  
way of removing the vulnerability. I have logs of the attacker's  
requests and can make them available to SPIP developers to help find  
and fix the exploit.

Cheers,

Thomas Sutton
Web Developer

bouncingorange
graphic+web design

Re: Security of SPIP 2.0.8

Hi Thomas

Le 5 août 09 à 05:40, Thomas Sutton a écrit :

> Hi all,
>
> I'm currently trying to clean up a client's site running SPIP 2.0.8  
> [13982] which was attacked and had links to malware inserted. The  
> attacker was able (apparently without FTP access or a SPIP author  
> account) to modify the site by convincing SPIP to run the `/ecrire/? 
> exec=install` installation wizard again and using this to switch to  
> an SQLite database (rather than the MySQL server it *was* using).

It appears that the exec=install script for the actions chmod and  
additionnal base was not restricted to administrators. Not clear if it  
is really dangerous, but we will think about it.

Emmanuel

Re: Security of SPIP 2.0.8

Hi Emmanuel,

On 05/08/2009, at 1:44 PM, Committo,Ergo:sum wrote:

> Hi Thomas
>
> Le 5 août 09 à 05:40, Thomas Sutton a écrit :
>
>> Hi all,
>>
>> I'm currently trying to clean up a client's site running SPIP 2.0.8  
>> [13982] which was attacked and had links to malware inserted. The  
>> attacker was able (apparently without FTP access or a SPIP author  
>> account) to modify the site by convincing SPIP to run the `/ecrire/? 
>> exec=install` installation wizard again and using this to switch to  
>> an SQLite database (rather than the MySQL server it *was* using).
>
> It appears that the exec=install script for the actions chmod and  
> additionnal base was not restricted to administrators. Not clear if  
> it is really dangerous, but we will think about it.

It is dangerous for any SPIP site installed according to the  
instructions. There are two bugs which allow a user (not an admin, or  
editor, or visitor; any person who can make an HTTP request) to hijack  
a SPIP site and serve whatever content they like. We know this is  
true, because it has happened to one of our sites in an attack on  
2009-08-01 and 2009-08-03 and we've been able to replicate the attack  
using the details in the logs.

These bugs can be ameliorated on a site-by-site basis by restricting  
access to /ecrire/ to only those IP addresses which need it, by  
renaming /ecrire/ to something else, by changing the permissions for / 
config/ such that the server cannot write any files within it, etc.  
But none of this is mentioned in the install instructions in French
<http://www.spip.net/fr_article402.html 
 > or in English <http://www.spip.net/en_article84.html>.

Is there a private avenue to report security problems with SPIP? I  
don't think it's a good idea discussing this issue on a public list  
(hence there are more details in my private reply to your message),  
especially when we don't even know where the problem is yet, never  
mind have a new release out yet. Many other similar projects have  
procedures for reporting security problems (see Drupal's, for instance  
<http://drupal.org/security-team>) which make sure that the problem  
can be debugged and fixed and a patch released before it becomes  
common knowledge.

Cheers,

Thomas Sutton

bouncingorange
graphic+web design

Re: [spip-dev] Security of SPIP 2.0.8

On Wed, Aug 5, 2009 at 3:23 AM, Thomas
Sutton<thomas@...> wrote:
> Hi Emmanuel,
>
> It is dangerous for any SPIP site installed according to the instructions.
> There are two bugs which allow a user (not an admin, or editor, or visitor;
> any person who can make an HTTP request) to hijack a SPIP site and serve
> whatever content they like. We know this is true, because it has happened to
> one of our sites in an attack on 2009-08-01 and 2009-08-03 and we've been
> able to replicate the attack using the details in the logs.
>
> These bugs can be ameliorated on a site-by-site basis by restricting access
> to /ecrire/ to only those IP addresses which need it, by renaming /ecrire/
> to something else, by changing the permissions for /config/ such that the
> server cannot write any files within it, etc. But none of this is mentioned
> in the install instructions in French
> <http://www.spip.net/fr_article402.html> or in English
> <http://www.spip.net/en_article84.html>.
>
> Is there a private avenue to report security problems with SPIP? I don't
> think it's a good idea discussing this issue on a public list (hence there
> are more details in my private reply to your message), especially when we
> don't even know where the problem is yet, never mind have a new release out
> yet. Many other similar projects have procedures for reporting security
> problems (see Drupal's, for instance <http://drupal.org/security-team>)
> which make sure that the problem can be debugged and fixed and a patch
> released before it becomes common knowledge.
>
> Cheers,
>
> Thomas Sutton

A site of mine has also suffered an attack, injecting iframes pointing
to servers (in this case x8n.ru). Google (therefore firefox) flagged
our site as dangerous, so was a really problem.

http://www.google.com/safebrowsing/diagnostic?site=sindicatodelsubte.com.ar

The problem seemed to be a trojan wich infected my customer's
computer, caching the password to ftp.- There are many similar attacks
in the last days.  Like here
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

So, ensure your computer is clean.

Martin

Re: [spip-dev] Security of SPIP 2.0.8

Hi Martín,

On 05/08/2009, at 11:15 PM, Martín Gaitán wrote:

> On Wed, Aug 5, 2009 at 3:23 AM, Thomas
Sutton<thomas@... 
> > wrote:
>> Hi Emmanuel,
>>
>> It is dangerous for any SPIP site installed according to the  
>> instructions.
>> There are two bugs which allow a user (not an admin, or editor, or  
>> visitor;
>> any person who can make an HTTP request) to hijack a SPIP site and  
>> serve
>> whatever content they like. We know this is true, because it has  
>> happened to
>> one of our sites in an attack on 2009-08-01 and 2009-08-03 and  
>> we've been
>> able to replicate the attack using the details in the logs.
>>
>> These bugs can be ameliorated on a site-by-site basis by  
>> restricting access
>> to /ecrire/ to only those IP addresses which need it, by renaming / 
>> ecrire/
>> to something else, by changing the permissions for /config/ such  
>> that the
>> server cannot write any files within it, etc. But none of this is  
>> mentioned
>> in the install instructions in French
>> <http://www.spip.net/fr_article402.html> or in English
>> <http://www.spip.net/en_article84.html>.
>>
>> Is there a private avenue to report security problems with SPIP? I  
>> don't
>> think it's a good idea discussing this issue on a public list  
>> (hence there
>> are more details in my private reply to your message), especially  
>> when we
>> don't even know where the problem is yet, never mind have a new  
>> release out
>> yet. Many other similar projects have procedures for reporting  
>> security
>> problems (see Drupal's, for instance <http://drupal.org/security- 
>> team>)
>> which make sure that the problem can be debugged and fixed and a  
>> patch
>> released before it becomes common knowledge.
>>
>> Cheers,
>>
>> Thomas Sutton
>
> A site of mine has also suffered an attack, injecting iframes pointing
> to servers (in this case x8n.ru). Google (therefore firefox) flagged
> our site as dangerous, so was a really problem.
>
> http://www.google.com/safebrowsing/diagnostic?site=sindicatodelsubte.com.ar
>
> The problem seemed to be a trojan wich infected my customer's
> computer, caching the password to ftp.- There are many similar attacks
> in the last days.  Like here
> http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
>
> So, ensure your computer is clean.
>
> Martin

Yes, it is important to ensure that computers are not infected with  
password stealing Trojans, and we've also been asked to clean up after  
one of these password-capture attacks. But the bugs I've reported  
dangerous precisely because they do not required usernames or  
passwords. At all.

To avoid these bugs while a fix is in progress, I've started removing  
all write permissions from `/config/` and `/config/*.php` on all our  
2.0 sites. To do otherwise allows the site to be hijacked.

Cheers,

Thomas Sutton

bouncingorange
graphic+web design

SPIP Security alert + new version 2.0.9 (and 1.9.2 i )

Re: SPIP Security alert + new version 2.0.9 (and 1.9.2 i )

Re: SPIP Security alert + new version 2.0.9 (and 1.9.2 i )

> You don't need to upgrade SPIP to block this attack :
> just remove the write access to /config/ and any file inside..

Not really. This will block the specific attack we have witnessed, but
not the possible range of attacks through the same security hole.

-- Fil

Re: Bug in inc/statistiques.php for SPIP 2.0.8

Hi Thomas,

I think [14399] fixes this. Thank you.

On Tue, Jun 30, 2009 at 9:33 AM, Thomas
Sutton<thomas@...> wrote:
> Hi all,
>
> There appears to be a bug in the file `inc/statistiques.php`. Sometimes it
> outputs "Array" after the total (see screenshot):
>
>> total: 203Array

-- Fil