Textpattern CMS support forum

You are not logged in. Register | Login | Help

#11 2011-05-26 19:21:04

hcgtv
Plugin Author
From: Miami, Florida
Registered: 2005-11-29
Posts: 2,634
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

Not at present, no.

At least we have a glimmer of hope :)

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

A few years back, I posted an .htaccess contributed by Ruud that I was using to protect the /textpattern directory.

This is how it looks currently, keeping up with stable releases:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/jquery\.js$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/theme/.+\.(jpg|gif|png|css)$
 RewriteRule ^(.*) - [F]
</IfModule>

It’s not for password protection, but it does offer some bit of protection.

Offline

#12 2011-05-26 19:26:07

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

ruud: I think you’re conflating two separate vulnerabilities.

- The file upload issues are still present in 4.4.0. An unauthenticated attacker would need to exploit it using CSRF. An authenticated attacker would just be able to upload. It can be mitigated by making sure the files/ directory can’t be accessed directly (either via htaccess or moving the files directory).

- The unauthenticated arbitrary code execution vulnerability is fixed in 4.4.0. If you haven’t upgraded, you can protect your site by password protecting the textpattern directory via htaccess. If an unauthenticated user can’t access textpattern/index.php, they can’t exploit the vulnerability.

Last edited by Neal (2011-05-26 19:26:16)

Offline

#13 2011-05-26 21:29:53

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

^^ Right. I mixed up a few vulnerabilities.

Offline

#14 2011-05-26 21:42:52

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,226
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this. After all, it’s easy to find out if a website is running TXP

Offline

#15 2011-05-26 21:55:06

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,813
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

gomedia wrote:

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this.

It’s important to document vulnerabilities. Neal has been incredibly generous and understanding by raising the issues with us privately via the TXP security channel, and giving us time to address as much as we could. He held off this article until we had a chance to deal with most of the issues in 4.4.0, and we (well, Robert) have addressed so much more in SVN in the past few days.

Bear in mind that we dropped 4.4.0 within about two weeks of the vulnerabilities coming to our attention so we were nervous about it, given the limited testing that took place before release (we normally have a loooong time to catch bugs between releases). And we had to hold off the actual changes to SVN until the last moment because otherwise the vulnerabilities would have come to light during the testing phase as people reverse engineered the changesets to figure out what was going on. I was hammering the code left right and centre, but I’m only one guy and can’t hope to catch everything. The CSRF stuff needs much more testing because it’s a BIG change. Please test!

Last edited by Bloke (2011-05-26 21:58:52)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#16 2011-05-26 21:58:48

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

And a big thank you again to all the Textpattern devs for being so understanding and responsive :)

Offline

#17 2011-05-26 22:04:57

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,226
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Please don’t misunderstand me – I wasn’t making any criticism of the effort made or of the changes. I’m just a bit concerned that in the real world it’s not possible to do software upgrades at the drop of a hat & until then a pre-4.3.0 TXP website is vulnerable.

An .htaccess file, however, would be easy to bang in – as a temporary measure – so is it just a question of password protecting the /textpattern dir?

Offline

#18 2011-05-26 22:08:14

Neal
Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Yes, that protects against the arbitrary code execution vulnerability (assuming the attacker doesn’t know the password).

Offline

#19 2011-05-26 22:30:32

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,226
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks Neal, it’s much appreciated. I’ll do that before my portfolio of websites is “tested”.

Just as an aside, how about if the TXP admin interface automatically alerted users to things like this?

So when you log in, you get a “for your eyes only” message from the TXP Mothership – something along the lines of “Psst, I’ve noticed a big hole in your trademan’s, so you’d better upgrade sharpish!”

That way:

  • we don’t need to have a street party to advertise vulnerabilities
  • we can target TXP admin users who don’t lead such sad lives that they check Google Reader before the BBC

Offline

#20 2011-05-26 22:41:19

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Damn, the Neal thanked in the commit messages was that Neal, from that blog (nice blog btw). Great findings Neal. Big hug — I mean really manly handshake to you man :)

gomedia wrote:

This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this. After all, it’s easy to find out if a website is running TXP

Well, the stuff is already publicly available in the public repo (not to overuse word public, hah). I see nothing wrong about discussing most of this. Don’t forget that Neal didn’t reveal the information, but privately reported it to the devs (Robert) which exactly what should have been done.

Offline

Board footer

Powered by FluxBB