[Xerte-dev] Re: SECURITY PATCH for upload.php

Smith, John J.J.Smith at gcu.ac.uk
Fri Mar 8 23:50:55 GMT 2013


Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep.

Anyway cheers for listening to my rants...

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII



"Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:


I haven't got flash on the laptop, but I don't recall it doing anything.

Pgogy Webstuff - http://www.pgogywebstuff.com
Makers of web things of a fair to middling quality

On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:

> Its bizarre. If i modify the parameter in any way by adding x=y& before path then the querystring is mangled
>
> I just assumed that the flash took the upload_path parameter (which ends path=) and appended the path but it must be doing some strange parsing which cant handle extra params
>
> I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char...
>
> Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript...
>
> Regards
>
> John Smith
> Learning Technologist
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
>
>
> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:
>
>
> Assuming you know the fixed session if wont work?
>
> I think the wizard alters the URL - but might you need to URL encode the string?
>
> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/>
> Makers of web things of a fair to middling quality
>
> On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:
>
>> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange...
>>
>> I've changed the upload_path code to
>>
>> so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path=");
>>
>> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path="
>>
>> but when the Flash Post's the URL (as viewed in the Network console) is munged to
>>
>> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4
>>
>> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable...
>>
>> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups?
>>
>>               if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5');
>>               session_start();
>>
>> Regards,
>>
>> John Smith | Learning Technologist
>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University
>> Cowcaddens Road | Glasgow | G4 0BA
>> ________________________________________
>> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com]
>> Sent: 08 March 2013 17:59
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> Pass session Id in as a flashvar?
>>
>> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/>
>> Makers of web things of a fair to middling quality
>>
>> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
>>
>> It’s because upload.php is being hit from flash, which isn’t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end.
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> Sent: 08 March 2013 14:12
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> Ok I’ll look at that and see why… maybe config isn’t being included properly… sessions work elsewhere in Firefox so why not here?
>>
>>
>> Regards,
>>
>> John Smith
>> Learning Technologist
>> School of Health & Life Sciences
>> Glasgow Caledonian University
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> Sent: Friday, March 08, 2013 2:05 PM
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> I commented it out because it didn’t work in firefox.
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> Sent: 08 March 2013 13:55
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue…
>>
>> Regards,
>>
>> John Smith
>> Learning Technologist
>> School of Health & Life Sciences
>> Glasgow Caledonian University
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> Sent: Friday, March 08, 2013 1:47 PM
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> I’m not sure I’m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we’re not in a position where exporting the svn creates an install that won’t upload anything…
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> Sent: 08 March 2013 13:26
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable… would that be duplicating and adding to the confusion of having a mime types field in sitedetails too?
>>
>> Well I’ll work on the basis that I’ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension).
>>
>> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed – should it just be “failed”
>>
>> Regards,
>>
>> John Smith
>> Learning Technologist
>> School of Health & Life Sciences
>> Glasgow Caledonian University
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> Sent: Friday, March 08, 2013 1:13 PM
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to.
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy
>> Sent: 07 March 2013 17:14
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> Hello,
>>
>> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly?
>>
>> I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball
>>
>> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/>
>> Makers of web things of a fair to middling quality
>>
>> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:
>> Hi Pat,
>>
>> I didn’t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required…
>>
>> I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work…
>>
>> I think it is leaving a load of sites out there very vulnerable so we should try to  find a good way to shore this up before the next release. What do you think? I’ll have a go at adding in some code to deal with content headers and mimetypes
>>
>> Regards,
>>
>> John Smith
>> Learning Technologist
>> School of Health & Life Sciences
>> Glasgow Caledonian University
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy
>> Sent: Thursday, March 07, 2013 2:54 PM
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>>
>> Hello,
>>
>> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem).
>>
>> My reg exp is a bit flaky as well, if you copied that over.
>>
>> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list.
>>
>> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/>
>> Makers of web things of a fair to middling quality
>>
>> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:
>> Hi,
>>
>> I’ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I’ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins.
>>
>> Can someone test this and advise if there are any other media types that we want/need to allow?
>>
>> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I’ve uncommented this now but does anyone know why it was commented out in the first place?
>>
>> Regards,
>>
>> John Smith
>> Learning Technologist
>> School of Health & Life Sciences
>> Glasgow Caledonian University
>>
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>> _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>> _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>> _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>>
>>
>> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html>
>
> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>
> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html


More information about the Xerte-dev mailing list