Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2011-05-26 15:30:09

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

[mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

https://nealpoole.com/blog/2011/05/multiple-major-security-vulnerabilities-in-textpattern/

That’s my blog, I’m happy to answer questions here or in the comments there. But if you’re not running 4.4.0, you need to upgrade ASAP: every single prior version of Textpattern allows an attacker to execute arbitrary code on your server (among other nasty things).

Last edited by Neal (2011-05-26 15:30:56)

Offline

#2 2011-05-26 15:49:31

hcgtv
Plugin Author
From: Key Largo, Florida
Registered: 2005-11-29
Posts: 2,722
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks again Neal for taking the time to audit the Textpattern code.

Any chance of you making the switch from WordPress to Textpattern?

Offline

#3 2011-05-26 16:10:42

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,379
Website GitHub Mastodon

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Developing secure PHP software has been problematic for a long time. Since Textpattern’s initial development predates most of the work that came later, and it has never received the kind of intense scrutiny that some other systems have, I am not surprised that these issues have arisen.

I do want to commend you and the development team for treating these seriously. While I have had hacking issues with other cms software and never with Textpattern, the nature of open source projects require that we all do a certain amount of effort to be diligent.

I certainly intend to double-check that all of my installs have been properly upgraded and suggest everyone else do the same. And continue to do in the future.

Offline

#4 2011-05-26 16:18:57

merz1
Member
From: Hamburg
Registered: 2006-05-04
Posts: 994
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Thanks Neal for the security audit!


Get all online mentions of Textpattern via OPML subscription: TXP Info Sources: Textpattern RSS feeds as dynamic OPML

Offline

#5 2011-05-26 17:03:54

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?

Offline

#6 2011-05-26 17:17:10

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Wow good analyze!!

I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?

Offline

#7 2011-05-26 17:20:59

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Any chance of you making the switch from WordPress to Textpattern?

Not at present, no.

Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?

I’m certainly aware of potential classes of vulnerabilities (XSS, CSRF, file inclusion, code execution, etc). For the most part, I attempt to identify potentially dangerous functionality (ie: <txp:php>) and then ensure that proper security restrictions exist around that functionality.

I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

Last edited by Neal (2011-05-26 17:28:17)

Offline

#8 2011-05-26 18:29:06

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,379
Website GitHub Mastodon

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?

Offline

#9 2011-05-26 18:34:43

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?

Unless someone is targeting you specifically, yes. There is still no CSRF protection, which opens up a number of possible attacks (an attacker can create an admin user, for instance). However, a CSRF attack is targeted at a particular installation and requires you to be logged in.

Last edited by Neal (2011-05-26 18:44:53)

Offline

#10 2011-05-26 19:20:21

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

Moving the /files directory outside document root would also work, as I understand it. (ignore this. I misread)

Offline

#11 2011-05-26 19:21:04

hcgtv
Plugin Author
From: Key Largo, Florida
Registered: 2005-11-29
Posts: 2,722
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

Neal wrote:

Not at present, no.

At least we have a glimmer of hope :)

No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.

A few years back, I posted an .htaccess contributed by Ruud that I was using to protect the /textpattern directory.

This is how it looks currently, keeping up with stable releases:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/jquery\.js$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/theme/.+\.(jpg|gif|png|css)$
 RewriteRule ^(.*) - [F]
</IfModule>

It’s not for password protection, but it does offer some bit of protection.

Offline

#12 2011-05-26 19:26:07

Neal
New Member
Registered: 2011-03-29
Posts: 6
Website

Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)

ruud: I think you’re conflating two separate vulnerabilities.

- The file upload issues are still present in 4.4.0. An unauthenticated attacker would need to exploit it using CSRF. An authenticated attacker would just be able to upload. It can be mitigated by making sure the files/ directory can’t be accessed directly (either via htaccess or moving the files directory).

- The unauthenticated arbitrary code execution vulnerability is fixed in 4.4.0. If you haven’t upgraded, you can protect your site by password protecting the textpattern directory via htaccess. If an unauthenticated user can’t access textpattern/index.php, they can’t exploit the vulnerability.

Last edited by Neal (2011-05-26 19:26:16)

Offline

Board footer

Powered by FluxBB