Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2011-05-26 15:30:09

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

[mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

https://nealpoole.com/blog/2011/05/multiple-major-security-vulnerabilities-in-textpattern/

That’s my blog, I’m happy to answer questions here or in the comments there. But if you’re not running 4.4.0, you need to upgrade ASAP: every single prior version of Textpattern allows an attacker to execute arbitrary code on your server (among other nasty things).

Last edited by Neal (2011-05-26 15:30:56)

Offline

#2 2011-05-26 15:49:31

hcgtv
Plugin Author
From: Miami, Florida
Registered: 2005-11-29
Posts: 2,634
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks again Neal for taking the time to audit the Textpattern code.

Any chance of you making the switch from WordPress to Textpattern?

Offline

#3 2011-05-26 16:10:42

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,210
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Developing secure PHP software has been problematic for a long time. Since Textpattern’s initial development predates most of the work that came later, and it has never received the kind of intense scrutiny that some other systems have, I am not surprised that these issues have arisen.

I do want to commend you and the development team for treating these seriously. While I have had hacking issues with other cms software and never with Textpattern, the nature of open source projects require that we all do a certain amount of effort to be diligent.

I certainly intend to double-check that all of my installs have been properly upgraded and suggest everyone else do the same. And continue to do in the future.

Offline

#4 2011-05-26 16:18:57

merz1
Member
From: Hamburg
Registered: 2006-05-04
Posts: 994
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks Neal for the security audit!


Get all online mentions of Textpattern via OPML subscription: TXP Info Sources: Textpattern RSS feeds as dynamic OPML

Offline

#5 2011-05-26 17:03:54

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?

Offline

#6 2011-05-26 17:17:10

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,315
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Wow good analyze!!

I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?

Offline

#7 2011-05-26 17:20:59

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Any chance of you making the switch from WordPress to Textpattern?

Not at present, no.

Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?

I’m certainly aware of potential classes of vulnerabilities (XSS, CSRF, file inclusion, code execution, etc). For the most part, I attempt to identify potentially dangerous functionality (ie: <txp:php>) and then ensure that proper security restrictions exist around that functionality.

I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

Last edited by Neal (2011-05-26 17:28:17)

Offline

#8 2011-05-26 18:29:06

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,210
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?

Offline

#9 2011-05-26 18:34:43

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?

Unless someone is targeting you specifically, yes. There is still no CSRF protection, which opens up a number of possible attacks (an attacker can create an admin user, for instance). However, a CSRF attack is targeted at a particular installation and requires you to be logged in.

Last edited by Neal (2011-05-26 18:44:53)

Offline

#10 2011-05-26 19:20:21

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

Moving the /files directory outside document root would also work, as I understand it. (ignore this. I misread)

Offline

Board footer

Powered by FluxBB