Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2011-05-26 21:29:53

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

^^ Right. I mixed up a few vulnerabilities.

Offline

#14 2011-05-26 21:42:52

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,358
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this. After all, it’s easy to find out if a website is running TXP

Offline

#15 2011-05-26 21:55:06

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,568
Website GitHub

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

gomedia wrote:

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this.

It’s important to document vulnerabilities. Neal has been incredibly generous and understanding by raising the issues with us privately via the TXP security channel, and giving us time to address as much as we could. He held off this article until we had a chance to deal with most of the issues in 4.4.0, and we (well, Robert) have addressed so much more in SVN in the past few days.

Bear in mind that we dropped 4.4.0 within about two weeks of the vulnerabilities coming to our attention so we were nervous about it, given the limited testing that took place before release (we normally have a loooong time to catch bugs between releases). And we had to hold off the actual changes to SVN until the last moment because otherwise the vulnerabilities would have come to light during the testing phase as people reverse engineered the changesets to figure out what was going on. I was hammering the code left right and centre, but I’m only one guy and can’t hope to catch everything. The CSRF stuff needs much more testing because it’s a BIG change. Please test!

Last edited by Bloke (2011-05-26 21:58:52)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#16 2011-05-26 21:58:48

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

And a big thank you again to all the Textpattern devs for being so understanding and responsive :)

Offline

#17 2011-05-26 22:04:57

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,358
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Please don’t misunderstand me – I wasn’t making any criticism of the effort made or of the changes. I’m just a bit concerned that in the real world it’s not possible to do software upgrades at the drop of a hat & until then a pre-4.3.0 TXP website is vulnerable.

An .htaccess file, however, would be easy to bang in – as a temporary measure – so is it just a question of password protecting the /textpattern dir?

Offline

#18 2011-05-26 22:08:14

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Yes, that protects against the arbitrary code execution vulnerability (assuming the attacker doesn’t know the password).

Offline

#19 2011-05-26 22:30:32

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,358
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks Neal, it’s much appreciated. I’ll do that before my portfolio of websites is “tested”.

Just as an aside, how about if the TXP admin interface automatically alerted users to things like this?

So when you log in, you get a “for your eyes only” message from the TXP Mothership – something along the lines of “Psst, I’ve noticed a big hole in your trademan’s, so you’d better upgrade sharpish!”

That way:

  • we don’t need to have a street party to advertise vulnerabilities
  • we can target TXP admin users who don’t lead such sad lives that they check Google Reader before the BBC

Offline

#20 2011-05-26 22:41:19

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Damn, the Neal thanked in the commit messages was that Neal, from that blog (nice blog btw). Great findings Neal. Big hug — I mean really manly handshake to you man :)

gomedia wrote:

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this. After all, it’s easy to find out if a website is running TXP

Well, the stuff is already publicly available in the public repo (not to overuse word public, hah). I see nothing wrong about discussing most of this. Don’t forget that Neal didn’t reveal the information, but privately reported it to the devs (Robert) which exactly what should have been done.

Offline

#21 2011-05-27 00:08:24

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,372
Website GitHub Mastodon

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

There is always a concern when security issues come up over how and when to publicize them. It seems pretty obvious in retrospect that Neal alerted the developers, gave them a chance to work on the problems and get 4.4.0 out, let everyone put it through testing and let all the people who are naturally hesitant to upgrade get a chance to see that things have gone okay, and now Neal has actually released what he has found to give the naturally hesitant another incentive. This is exactly how this sort of thing should work when adults act responsibly.

The fact is, the vulnerabilities were always there and are still there on any pre-4.4.0 install. Hoping that only Neal and the developers know about them can only last so long. If you haven’t upgraded yet, you should. If you get hacked and haven’t upgraded, you probably won’t know if it is the information that was just revealed or an evildoer discovering it independently.

I haven’t installed a non-point release version of Textpattern in years but I fully intend to asap.

p.s. When things calm down a little, perhaps a blog post similar to this one

Last edited by michaelkpate (2011-05-27 00:10:58)

Offline

Board footer

Powered by FluxBB