Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
[mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
https://nealpoole.com/blog/2011/05/multiple-major-security-vulnerabilities-in-textpattern/
That’s my blog, I’m happy to answer questions here or in the comments there. But if you’re not running 4.4.0, you need to upgrade ASAP: every single prior version of Textpattern allows an attacker to execute arbitrary code on your server (among other nasty things).
Last edited by Neal (2011-05-26 15:30:56)
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Thanks again Neal for taking the time to audit the Textpattern code.
Any chance of you making the switch from WordPress to Textpattern?
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Developing secure PHP software has been problematic for a long time. Since Textpattern’s initial development predates most of the work that came later, and it has never received the kind of intense scrutiny that some other systems have, I am not surprised that these issues have arisen.
I do want to commend you and the development team for treating these seriously. While I have had hacking issues with other cms software and never with Textpattern, the nature of open source projects require that we all do a certain amount of effort to be diligent.
I certainly intend to double-check that all of my installs have been properly upgraded and suggest everyone else do the same. And continue to do in the future.
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Thanks Neal for the security audit!
Get all online mentions of Textpattern via OPML subscription: TXP Info Sources: Textpattern RSS feeds as dynamic OPML
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Wow good analyze!!
I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Any chance of you making the switch from WordPress to Textpattern?
Not at present, no.
Impressive. How do you start such an audit… do you have a list of potential vulnerabilities that you check one by one or do you just look at the code and “see” them?
I’m certainly aware of potential classes of vulnerabilities (XSS, CSRF, file inclusion, code execution, etc). For the most part, I attempt to identify potentially dangerous functionality (ie: <txp:php>) and then ensure that proper security restrictions exist around that functionality.
I am not an expert but if i understund correclty, those vulnerability can be used only if you have an account on a site! if i have a blog and i am the only one who access it, there is no vulnerabilty!! wright?
No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.
Last edited by Neal (2011-05-26 17:28:17)
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Neal wrote:
No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.
For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
For someone running 4.4.0, you stated that #2 and #4 had been corrected and #3 was more secure – although you still call for a whitelist of PHP functions. So to restate Dragondz’s question, if I am running an install of 4.4.0 and I am the only user, I am mostly secure by your current analysis?
Unless someone is targeting you specifically, yes. There is still no CSRF protection, which opens up a number of possible attacks (an attacker can create an admin user, for instance). However, a CSRF attack is targeted at a particular installation and requires you to be logged in.
Last edited by Neal (2011-05-26 18:44:53)
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Neal wrote:
No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.
Moving the /files directory outside document root would also work, as I understand it. (ignore this. I misread)
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Neal wrote:
Not at present, no.
At least we have a glimmer of hope :)
No. See #2, unauthenticated remote code execution. Combined with #3/#4, any Textpattern version earlier than 4.4.0 is vulnerable. The only workaround is to use something like a .htaccess file to password protect your textpattern directory.
A few years back, I posted an .htaccess contributed by Ruud that I was using to protect the /textpattern directory.
This is how it looks currently, keeping up with stable releases:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
RewriteCond %{REQUEST_FILENAME} !textpattern/jquery\.js$
RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
RewriteCond %{REQUEST_FILENAME} !textpattern/theme/.+\.(jpg|gif|png|css)$
RewriteRule ^(.*) - [F]
</IfModule>It’s not for password protection, but it does offer some bit of protection.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
ruud: I think you’re conflating two separate vulnerabilities.
- The file upload issues are still present in 4.4.0. An unauthenticated attacker would need to exploit it using CSRF. An authenticated attacker would just be able to upload. It can be mitigated by making sure the files/ directory can’t be accessed directly (either via htaccess or moving the files directory).
- The unauthenticated arbitrary code execution vulnerability is fixed in 4.4.0. If you haven’t upgraded, you can protect your site by password protecting the textpattern directory via htaccess. If an unauthenticated user can’t access textpattern/index.php, they can’t exploit the vulnerability.
Last edited by Neal (2011-05-26 19:26:16)
Offline