Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2010-11-13 17:37:06

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

maverick wrote:

Keyboard shortcut to select all was speedy. However, selecting all led to the white page of death.

That should have been fixed in v0.12. If it’s still doing it, let me know. Wish FireFox had a keyboard shortcut for ‘select all items in select list’. Or at least if it does, I don’t know about it. Perhaps the slowness is not a FireFox thing but a Windows thing…

v0.13 is in the works still. Refactoring some stuff and tweaking a few things on the journey.

“textpattern” was missing from the url

Yeah that was a stupid oversight on my part. Fix on its way.

The “ihu” for hosting images on a subdomain is what made me wonder if creating another preference for the admin subdomain url would work.

I saw your post and it’s not the first time I’ve wished for such a constant. I’m sure someone cleverer than me can figure out how to patch TXP to do this.

I have to take off again for a while, but I’ll set up a login and send it as soon as I get a chance.

Brill, thanks.

Incidentally I’ve just had notification of a suspected injection hit at phpxref. Prognostics caught it and prevented it, which I’m pretty chuffed about. I’m dissecting the frognostics and adding the info to the knowledge base.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#26 2010-11-14 00:19:54

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

frognostics – love it. I think you should apply to the O.E.D. for inclusion in the next edition. ;)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#27 2010-11-14 16:11:39

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Here’s a good one considering my “special needs”. I was doing an update to the “Vitraux” php file and when I saved it threw me a message:-

Your request has been denied by smd_prognostics. Nice try.

and it’s nice to know that it works but…

Now I’ve removed all the “/themes/” files from the file list but I still get the message. I should point out that my modifications were actually saved. I’m thinking there is probably something else I should be doing??

Last edited by thebombsite (2010-11-14 16:12:19)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#28 2010-11-14 16:54:05

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

thebombsite wrote:

Your request has been denied by smd_prognostics. Nice try.

If you haven’t already, turn off the Admin-side check for SQL Injections. That (experimental) feature has some holes in it right now which means that if you have certain content in the thing you’re trying to save on the admin side it’ll trigger the injection warning. Currently if your content contains # or -- or any SQLish commands like drop, insert, update and so on it’ll trigger, which is very annoying when trying to save the smd_prognostics plugin itself as it contains all those words and symbols :-)

I’m working on ways round this. Currently I have a few avenues to explore:

  1. Allow you to specify admin-side events and steps that you wish to bypass the SQL injection. Primarily this might be Pages/save, Forms/save, Stylesheets/save, possibly Articles/save and things like ied_plugin_composer/save and smd_admin_themes/save, among others
  2. Allow you to only notify that the injection has taken place, or silently capture it and then continue instead of dying
  3. Something else that may come to me randomly as I think this through, or that someone else suggests as a viable alternative
  4. Get rid of the stupid admin-side feature altogether

Best advice: switch it off for now until we’ve figured out the best way to do it.

Last edited by Bloke (2010-11-14 16:56:04)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#29 2010-11-14 19:41:28

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Incidentally I’ve just had notification of a suspected injection hit at phpxref. Prognostics caught it and prevented it, which I’m pretty chuffed about. I’m dissecting the frognostics and adding the info to the knowledge base.

Knowledge base? If TXP is vulnerable, let’s fix the bug. If not, just ignore it.

Allow you to specify admin-side events and steps that you wish to bypass the SQL injection.

Another way to deal with it: deactivate the account of the user which triggers this. Just because a user can’t do SQL injection, doesn’t necessarily prevent him/her from doing other damage like uploading massive amounts of files, changing articles and so on (depending on privileges).
For single user installs, checking admin side actions probably isn’t interesting.

A feature that would be nice to have (if it isn’t there already): new TXP version notification. The best way to stay safe is to keep software up-to-date.

Looking at amount of code between checking and updating the smd_prognostics_lastcheck value. What’s the chance of a race-condition occurring (file/db-update) or multiple checks happening at once?

Another feature that would be nice to have: being able to specify a preferred time slot (outside peak hours) in which to check files. Basically imitating cron for those poor souls on Windows hosting ;)

Offline

#30 2010-11-14 20:29:01

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

ruud wrote:

Knowledge base? If TXP is vulnerable, let’s fix the bug. If not, just ignore it.

Sorry, I meant my own knowledge base. I’m using the output from the various attacks to find ways to improve the plugin and either predict or at least add options to help people fight the prospective attacks. If we happen to find a demonstrable TXP vulnerability along the way, then that’ll be fixed pronto.

Another way to deal with it: deactivate the account of the user which triggers this.

Not sure I follow. An admin-side “attack” is one that begins http://site.com/textpattern/some_file?attack=content (or a POST equivalent). Since the callbacks are different for the two sides, the only way I could see to detect if someone on the outside was targetting something on the inside was to add a callback on head_end — the earliest point a plugin can run, istr. On the public side I have the pretext callback to attach to. So it’s not an attack from the ‘inside’ as such, but a side-effect is that it affects logged-in users too. Which stunning realisation has just led me to the fix: if $txp_user is set during an “attack” (primarily a save operation) don’t run the prognostics check. Simple. Thank you!

What I will probably do when I implement this is remove the distinction between admin and public sides and just have SQL Injection on/offm, since at the moment it is a tad confusing.

A feature that would be nice to have (if it isn’t there already): new TXP version notification.

A good idea, thanks. I’ll see if I can find a way to grab that on the advice page.

What’s the chance of a race-condition occurring (file/db-update) or multiple checks happening at once?

I’ll have to check. I have noticed that if you set the timeout too short and add quite a few files on the Files page, before the time the checksums file has been updated, the prognostics warning fires that the checksums file has changed!

being able to specify a preferred time slot (outside peak hours) in which to check files.

That would be neat yeah. Will see if I can find a way to do it.

Last edited by Bloke (2010-11-14 20:31:34)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#31 2010-11-14 21:48:20

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Not sure I follow. An admin-side “attack” is one that begins http://site.com/textpattern/some_file?attack=content. […] if $txp_user is set during an “attack” (primarily a save operation) don’t run the prognostics check.

But if you base that decision on whether $txp_user is set, then the assumption is that any potential damage happens after the authentication. In that case you can simply ignore all admin-side attacks, because $txp_user is not set, then the attack will lead simply result in a login form being returned to ‘evil person’. And if the authentication part of the code is vulnerable, you’d be too late if you base your decision on $txp_user being set or not.

Offline

#32 2010-11-15 09:01:47

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

ruud wrote:

the assumption is that any potential damage happens after the authentication.

D’oh, of course you’re right. Told you I wasn’t following. Right, admin side injection will be gone in the next version Thank you for putting me straight.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#33 2010-11-15 15:00:11

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

smd_prognostics v0.13 is released. In this version:

  • Fixed Alarms panel so it now always displays all alerts and doesn’t interfere with the file checking rotation
  • Fixed incorrect URL in acknowledge messages (thanks thebombsite) though multi-site installations may still be wrong
  • Removed dumb admin-side SQL injection (thanks ruud)
  • Added Check files between (thanks ruud)
  • Added TXP version advice (thanks ruud)
  • Tweaked injection detector for performance reasons
  • Refactored e-mail header code to save repetition

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#34 2010-11-16 00:02:54

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Well I see the Txp version advice is working Stef. I now get the message:-

A new version of Textpattern is available: 4.3.0

which is fine, but I assume it shouldn’t appear if you are already using 4.3.0 so I presume I am seeing it because I am on SVN?


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#35 2010-11-16 00:54:16

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

thebombsite wrote:

I presume I am seeing it because I am on SVN?

I guess so. Odd because the ‘version’ entry in txp_prefs should still be 4.3.0 even if running SVN. What’s your version string set to? And what version does it report at the bottom of the admin side in Classic? If either is 4.2.0 then that explains the message, but doesn’t explain how you could be running 4.3.0 unless the upgrade to the final 4.3.0 didn’t quite set everything it should.

Of course there’s also the possibility that my code is broken but I stole most of it directly from txplib_update.php so I thought it’d be robust enough. I’ll give this some testing tomorrow before I release the next version (sorry for the flurry of updates) which has another couple of useful options in it.

Last edited by Bloke (2010-11-16 00:54:48)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#36 2010-11-16 01:00:46

maverick
Member
From: Southeastern Michigan, USA
Registered: 2005-01-14
Posts: 976
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Like Stuart, I’m on svn. And am also getting the message abt. a newer version.

Diagnostics shows: Textpattern version: 4.3.0 (r3458). Also showing 4.3.0 at the bottom on the admin side in classic.

Last edited by maverick (2010-11-16 01:01:36)

Offline

Board footer

Powered by FluxBB