Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes YAXS Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share


XOOPS vs. Herko Coomans

Local Support

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Twitter News

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 117251

gerd69

Welcome to XOOPS!

Archives

News Archives

Advertisement

XOOPS Code hosted on SourceForge

Security Bulletin: TURN OFF CUSTOM AVATAR UPLOAD

Posted by Mithrandir on 2005/3/8 2:30:00 (19281 reads) | Posted on Security
A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.

The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -> Preferences -> User Info Settings -> "Allow Custom Avatar Upload"

ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -> System Admin -> Images edit each and every category to NOT allow uploading by non-trusted usergroups.

We will keep you informed as soon as we have a fix for this exploit.

XOOPS Core Development Team


UPDATE:
A fix is available.
If no specific problem is encountered after deeper tests, it will be released tomorrow.

In the meantime, people you would like to try it and give us some feedback are welcome.
To install it, upload the two following files to your XOOPS /class/ folder:
uploader.php (check that you get the revision 1.18 or wait a little...)
mimetypes.inc.php

The SF viewcvs updates are made regularly, but you may have to wait a few more minutes before the files become available. Alternatively, people with anonymous cvs access can get them from the XOOPS cvs repository right now.

skalpa.>
(with the appreciated help of php_pp :)


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

Does anyone know if the WF-Downloads module is secure regarding this issue?

It has a file uploader and image uploader.

Thanks,

_Dan
Posted: 2005/3/8 16:55 • Updated: 2005/3/8 16:55
hyperpod
I'd also imagine you'll need to set the upload function in AMS and News 1.2 and higher to approvers only (granting approvers are trusted members only) or simply disable it altogether. Same goes for NewBB 2 I'd imagine.
Posted: 2005/3/8 17:29 • Updated: 2005/3/8 17:29
brash
We could not tell you as we do not have the full details regarding this. Not sure if this XOOPS uploader class issue or not, but we do use a modified version of this class.

I would suggest not allowing images uploads in WF-Downloads just now and we will let you know once we hear anything.
Posted: 2005/3/8 17:31 • Updated: 2005/3/8 17:31
Anonymous
And since when was movers promoted to Webmaster Gee, you never asked me neither :sulks:

Scott
Posted: 2005/3/8 17:35 • Updated: 2005/3/8 17:35
Anonymous
I am still researching, but I believe that News, AMS and WF-Downloads all check the extension to find the mimetype instead of relying on the browser to "figure it out" - if that is the case, it should be safe enough, but I'll have to make sure that this is the case.

The problem comes from uploading a file where you rely on the browser to set the mimetype without caring about the extension, thus allowing the user to upload an "image" e.g. with the extension .php4 that can subsequently be executed just by showing the "image"
Posted: 2005/3/8 17:49 • Updated: 2005/3/8 17:49
Mithrandir
Perhaps a 3-point-check would be good:

- mimetype OK?
- extension OK?
- reading a few lines from the file to ensure there is no malicious code inside

Just a suggestion...
Posted: 2005/3/8 18:04 • Updated: 2005/3/8 18:04
Anonymous
Does the XoopsMediaUploader make this ?
Posted: 2005/3/8 18:11 • Updated: 2005/3/8 18:11
loudo
I am deffo no expert in this area, but I believe that the way a browser determines the mimetype is by reading a few lines from the file - but that is done by the browser and not by the server and can be spoofed.

However, reading a few lines from the uploaded file will not ensure that there is no malicious code inside as it can contain perfectly alright image code until the end, where the malicious code is located.

Checking mimetype (whether forged or not) and extension (to only allow extensions the webserver will not parse as script files) seems to be the only reliable way we can do this - perhaps a 3rd step is needed, but I don't think reading a few lines from the uploaded file will make a difference.

Thanks for the suggestion, though.

I have uploaded a modified class to the bug tracker item - could someone check if it is possible to upload an image, where the extension has been changed to e.g. php3 through that?
Posted: 2005/3/8 18:12 • Updated: 2005/3/8 18:14
Mithrandir
I was testing it but then again, since I have the XOOPS Protector module installed, I got caught by Protector and did not even come to testing your fix.

However, after I temporarily turned of Protector I was able to test it and it worked as expected. The upload was aborted with an error 'File extension rejected'.

Good work Mith

Martijn
Posted: 2005/3/8 18:52 • Updated: 2005/3/8 19:18
wtravel
Although I am not in NewBB 2 any more, I would like to help Marco clarify:
this issue does not influence NewBB 2.
Posted: 2005/3/8 20:06 • Updated: 2005/3/8 20:06
phppp
Security-wise, checking the extension is probably adequate.

The file name should also be sanitized so that it doesn't contain any unsafe characters. I think the avatars are assigned new names anyway, so that wouldn't be an issue.

In the case of image files, the PHP function getimagesize is useful, since it reads at least part of the file to get the image type and dimensions.
Posted: 2005/3/8 20:15 • Updated: 2005/3/8 20:15
Dave_L
I have to agree with dave_l, you can gain a lot of information from this usefull function and should help here determine a 'real' image file from a 'fake one' or if the server supports it, try putting the file through a GD lib function ; )=.
Posted: 2005/3/8 20:35 • Updated: 2005/3/8 20:39
Anonymous
I'm not sure what the problem is..

I thought you said it figured out the mime type from the first few lines of the file, i tried adding code to an image file and changing an extension but the upload code didn't like the extension so it is apparently checking. (this is a few month old XOOPS build)

Am I missing something?

ps: In the mean time however I have disallowed avatar upload on my live site.
Posted: 2005/3/8 22:22 • Updated: 2005/3/8 22:22
astaldaran
A patch will be available in a few minutes.

Considering I got back home in the middle of the night and didn't test it extensively (it 4AM here), I'll first edit the news so you can download it directly from the sourceforge viewcvs interface (only one file to update and another one to add, both in /class/).
Please feel free to test it and report us any problem, so we can release a real update tomorrow.

skalpa.>
Posted: 2005/3/8 23:10 • Updated: 2005/3/8 23:10
skalpa
thanks skalpa news updated on frxoops.org
The update of the SF CVS is not yet available at 6:00
Posted: 2005/3/9 0:50 • Updated: 2005/3/9 0:50
philou
news add to farsixoops.org
and i can download the new files now.
thanks
Posted: 2005/3/9 2:19 • Updated: 2005/3/9 2:19
irmtfan
Quote:

phppp wrote :
Although I am not in NewBB 2 any more

!!!!!!!!!!!!!

Posted: 2005/3/9 2:23 • Updated: 2005/3/9 7:37
hervet
I agree with hervet. Avtar upload doesn't seem like such a big problem anymore.
Posted: 2005/3/9 3:29 • Updated: 2005/3/9 3:29
siweb
This problem influence wf-section 1.01?
Posted: 2005/3/9 6:52 • Updated: 2005/3/9 6:52
tamerlo
Kudos to the core team for great communication on this issue! Thank you for keeping us all well informed and making the patch available promptly for testing.



--Julian
Posted: 2005/3/9 9:11 • Updated: 2005/3/9 9:11
jegelstaff
I have just checked, and I was able to change my avatar with a exe.jpg, and I am using 2.9
Posted: 2005/3/11 18:17 • Updated: 2005/3/11 18:17
stingerblue
What exactly do you mean by exe.jpg?

Regards,

Martijn
Posted: 2005/3/12 4:10 • Updated: 2005/3/12 4:10
wtravel
It's bad for me :((
Posted: 2005/3/12 15:15 • Updated: 2005/3/12 15:15
NoBoDyPopUp
Any update on this? Is this patch the final fix or is more work needed?
Posted: 2005/3/14 4:47 • Updated: 2005/3/14 4:47
jdseymour
After almost one week I don't see any update...
is there any schedule for a final solution?
Posted: 2005/3/14 11:32 • Updated: 2005/3/14 11:32
skara
I appreciate the communication on this issue, well done! I also have a question concerning the new files (rev 1.18). After I uploaded these new files in my /class/ directory I get an error "Errors Returned While Uploading; Error loading mimetypes definition" when members want to upload an avatar. Any solution? Thanks!
Posted: 2005/3/15 4:59 • Updated: 2005/3/15 4:59
Yantje
We will do our best to get a security update out within the week so you can once again turn on the custom avatars and image manager.

@Yantje, I will look at your error message, when I get home tonight.
Posted: 2005/3/15 5:40 • Updated: 2005/3/15 5:40
Mithrandir
it is my understanding that this is not an issue if you have protector 2.37 installed?
Posted: 2005/3/15 10:46 • Updated: 2005/3/15 10:46
tjnemez
Are you asking if we can confirm it is your understanding? www.peak.ne.jp/xoops/ sees to say that this is not the case, but that they have implemented a fixed version for the my-album_p module. (Or I have read it wrong, that's also possible)

Herko
Posted: 2005/3/15 11:10 • Updated: 2005/3/15 11:10
Herko
yes asking for confirmation, i was not sure about gi joes's post.
Posted: 2005/3/15 11:12 • Updated: 2005/3/15 11:12
tjnemez
Hey Mithrandir, any news on the error message: "Errors Returned While Uploading; Error loading mimetypes definition"?

I still get this error, anyone else with these troubles?
Posted: 2005/3/19 17:23 • Updated: 2005/3/19 17:23
Yantje
Yantje, your error occurs when the mimetypes.inc.php could not be included properly.

Could you double-check that:
1. The mimetypes.inc.php is present in your class/ folder
2. You do not get a parse error, if you access it directly? (www.example.com/class/mimetypes.inc.php - it should show a blank screen as there is no output in the class, but if it is corrupted, it may throw a parse error)
Posted: 2005/3/20 10:52 • Updated: 2005/3/20 10:52
Mithrandir
Thanks for your attention Mithrandir. . .

I just found the error. My filename was corrupt. The name was: mimetyes.inc.php I just looked over it, thanks for your time, sorry for this stupid error. I'm ashame
Posted: 2005/3/23 12:58 • Updated: 2005/3/23 13:01
Yantje
Good to see that it wasn't the patch that was faulty.

I'll be packaging it up and releasing it properly in a couple of hours.
Posted: 2005/3/23 13:12 • Updated: 2005/3/23 13:12
Mithrandir
I understand this issue had been addressed in patch 2.0.9.2-to-2.0.9.3 ??
Posted: 2005/4/3 14:33 • Updated: 2005/4/3 14:33
Sebastian
it has..
Posted: 2005/4/3 14:44 • Updated: 2005/4/3 14:44
m0nty
If so, why I cannot set an avatar in this site? It seems like the upload is still disabled.
Posted: 2005/5/3 7:06 • Updated: 2005/5/3 7:06
Vahrokh
You need a postcount of 10 or more to add an avatar here.
Posted: 2005/5/3 7:11 • Updated: 2005/5/3 7:11
Mithrandir
Thanks, how kind of you to answer even these little things

I am even more convinced to have done it right to persuade my company to adopt XOOPS for their works.
Posted: 2005/5/4 3:44 • Updated: 2005/5/4 3:44
Vahrokh
Is this "fix" incorporated into 2.0.16? My avatar upload will not work, nor will image manager. Should I install this fix which is quite old in 2.0.16? This is all very confusing.
Posted: 2007/8/18 12:33 • Updated: 2007/8/18 12:33
wingrider101
This fix has been incorporated two years ago.
Posted: 2007/8/19 5:57 • Updated: 2007/8/19 5:57
wtravel