Security

From Dokeos

Jump to: navigation, search

Contents

Contact us

To report new flaws in Dokeos, please contact security@dokeos.com and info@dokeos.com..

Security Patches

Dokeos 1.8

  • 2009-07-14: A new set of vulnerabilities has been reported for FCKEditor 2.6.4, which we use in Dokeos 1.8.6. You can download a patch for these flaws here, which you can uncompress directly from the root of your Dokeos directory (from where the main/ directory is located). This will safely overwrite the flawed files. Version 2.6.4.1 of FCKEditor fixes the flaws, but we use a modified version of FCKEditor 2.6.4, so we have checked out the changes as a patch and applied them manually where necessary. More information can be found here: http://www.ocert.org/advisories/ocert-2009-007.html. A first patch had been released quickly on the 7th of July, but did not cover the flaws properly for 1.8.6, so you are invited to re-apply the new patch to cover the flaws.
  • medical billing and coding
  • ib school in MP
  • schools indore
  • 2009-05-12: A new set of security issues, considered as HIGH potential damage, has been detected in Dokeos, including XSS, SQL injection and directory traversal vulnerabilities. These affect version 1.8.5 and possibly previous versions of Dokeos. Part of the flaws were reported by Russ McRee to Secunia and another part by Gerendi Sandor Attila.

The attached patch applies to Dokeos 1.8.5. Please download it an unzip it inside your Dokeos 1.8.5 root directory to cover the existing flaws. A patch (-Naur) file is also included, which could be applied by using the patch command (if you feel comfortable with it). This is a cumulative patch that covers all vulnerabilities detected in 1.8.5 to date, including the ones below. er solutions

Download the patch here.

The recent increase in vulnerability reports lead us to train ourselves better internally in order to ensure a better protection for all of you in Dokeos 1.8.6. One of the steps taken was to replace the kses library by the HTML Purifier library in the core of Dokeos, in order to filter better XSS attacks and SQL injections. We recommend you move to Dokeos 1.8.6 stable as soon as it is available.

After applying the patch, please make sure that the file main/inc/lib/xajax/tests/changeLister.php doesn't exist or is empty, as this has been used as a backdoor and is *NOT NECESSARY* by Dokeos.


  • 2009-04-25: A security issue (which is the re-apparition of an already-reported flaw, see below) has been detected by yeat in DOKEOS <= 1.8.5, affecting only Windows servers, but allowing for the remote execution of scripts through the combined upload of a .html file through FCKeditor and the inclusion of this file through user_portal.php. For Windows servers, this is also a critical-level security flaw. Please update as soon as possible. Linux users are safe in this case.

The fix is easy: open /user_portal.php and replace the following line by the next one: 

 if (!empty ($_GET['include']) && !strstr($_GET['include'], '/') && strstr($_GET['include'],dd '.html'))

replace by 

 if (!empty ($_GET['include']) && preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include'])) {

This one only affects Windows servers because it takes benefit of the absence of filtering on '\\' to redirect the user_portal.php to another directory than the only one it should have access to (/home). Please download this file for a quick patch of 1.8.5 version. For other versions, please just apply the patch manually.


  • 2009-04-21: A security issue has been detected by EgiX in ALL KNOWN VERSIONS OF DOKEOS (from 1.5.* up to the development version of 1.8.6, fixed early on the 22nd of April), by which a remote cracker can loan modification execute arbitrary code and can very effectively remove most of your data from your web server.

The flaw is located in the main/inc/lib/tablesort.lib.php file (or claroline/inc/lib/tablesort.lib.php for versions <1.8.0) and is due to the lack of filtering on an URL variable when sorting an array, so it is likely that multiple points of access can be used to reach this flaw and abuse it. The fix is almost easy and consists of introducing filtering in the sort_table() and the sort_table_config() (only for 1.8.5 and superior) functions. You can find the details for 1.8.6 here

However, as we would like to make it the easiest for you to apply the patch on your portal, we have prepared three replacement scripts that you can just download, rename to ".php" and apply to your portals in main/inc/lib/:

  1. for version 1.8.4 (and 1.8.3)
  2. for version 1.8.5
  3. for version 1.8.6

A way to exploit this flaw has already been put available to the public, and applied on several servers successfully, so please do not underestimate it.

Please make sure you apply this patch AS SOON AS POSSIBLE. This flaw is considered as CRITICAL and should be patched as a priority number one by all Dokeos system administrators.


Dokeos 1.8.5

  • 2008-12-31: A security issue has been detected in Dokeos 1.8.5 (and affects Dokeos 1.8.2, 1.8.3, 1.8.4 and 1.8.6-alpha as well) by which the anonymous user can enter courses "Open to the platform".

This can be fixed either temporarily by disabling the anonymous user (easy to find in your users list in administration page) or permanently by changing the code of the main/inc/local.inc.php script, around line 895, for the elseif ($_course['visibility'] == COURSE_VISIBILITY_OPEN_PLATFORM) like this (adding the api_is_anonymous() check): if (isset($_course)) { 

   	if ($_course['visibility'] == COURSE_VISIBILITY_OPEN_WORLD)
   		$is_allowed_in_course = true;
   	elseif ($_course['visibility'] == COURSE_VISIBILITY_OPEN_PLATFORM && isset($_user['user_id']) && !api_is_anonymous($_user['user_id']))
   		$is_allowed_in_course = true;
   	elseif ($_course['visibility'] == COURSE_VISIBILITY_REGISTERED && ($is_platformAdmin || $is_courseMember))
   		$is_allowed_in_course = true;
   	elseif ($_course['visibility'] == COURSE_VISIBILITY_CLOSED && ($is_platformAdmin || $is_courseAdmin))
   		$is_allowed_in_course = true;
   	else $is_allowed_in_course = false;

}

  • A security issue has been detected in Dokeos 1.8.5 running under the MS-Windows operating system, any version, whereby a remote attacker can include a system file by abusing the incorrectly filtered "include" parameter.

Fixing this issue can be done by replacing line 770 of /user_portal.php by: 

 if (!empty ($_GET['include']) && preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include']))

More information to come... It is unlikely we will issue a proper patch other than just the user_portal.php file as it only affects Windows server and the change is a one-liner, and the next release of Dokeos might be out sooner than expected due to several minor bugs that are making Dokeos 1.8.5 slightly uncomfortable to use for the teacher in very specific conditions (edition of documents with external resources integrated through FCKeditor).

Dokeos 1.8.4 SP3 download

  • A patch against the issues reported by Allegro.pl (and mentionned in FS#2312 but this page will only be public from the public disclosure of the reported bug, on the 20th of March), with possible vulnerabilities ranging from cross-site scripting to code execution, is available here.

The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first. This set of vulnerabilities is considered as moderate risk (it is difficult to craft an attack using these) but high possibility of damage. Their severity is inferior to the vulnerabilities fixed in SP1 and SP2 (see below).

No unified patch is available at this time.

This patch includes the changes from 1.8.4 made by SP1 and SP2, so you only have to apply this latest patch (SP3).

These issues have been fixed in the 1.8.5 version of Dokeos (to be published around early April 2008).

Dokeos 1.8.4 SP2 download

  • A patch against the issues reported by Digital Security Research Group and mentionned in FS#2218 (possible SQL injection, possible XSS vulnerabilities) is available here.

The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first. This is an important set of vulnerabilities, but their severity is possibly inferior to the vulnerabilities fixed in SP1 (see below).

A unified patch (options -Naur) is also available here

This patch includes the changes from 1.8.4 made by SP1, so you only have to apply this latest patch (SP2).

These issues have been fixed in the 1.8.5 version of Dokeos (to be published around early April 2008).

Dokeos 1.8.4 SP1

  • A patch against the issues mentionned in FS#2151 (remote PHP upload and execution) and FS#2152 (XSS hole) is available here (new version since 2007-12-30). The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first. 
Warning: This will *NOT* remove the PHP files that might already have been uploaded on your portal in the courses or temporary directories. 
         In general, you can consider any php file or .php.* file inside the courses/[course_code]/[subdirectory] directories, the archives/ directory, 
         the main/upload/users/ directory and the main/garbage/ directory as a *big* security threat. Exceptions apply to some index.php files located 
         in the courses subdirectories and which have been created by Dokeos. Typically, this seo blog philippines includes courses/[course_code]/index.php and
         courses/[course_code]/group/index.php. There might be more files than these created by Dokeos in earlier than 1.8 versions.
         These files (not generated by Dokeos) should be removed as soon as possible, or a .htaccess file be put inside these directories 
         and all their subdirectories to prevent the execution of any php code.
         The .htaccess file should contain at least this code or any code having similar effect:
         
         AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .phps .bash
         Options -ExecCGI

These issues have been fixed in P90x Workout Schedule the 1.8.5 version of Dokeos (to be published around early April 2008) but the php files already present on your system will need to be removed by you (we cannot do that automatically without risks due to us not knowing the architecture of your server). Link Building

Optometric Association urges not to use decorative Halloween Contacts without prescription.

Older versions

  • The issue reported in FS#2151 (remote PHP upload and execution) and G73JW can easily be fixed manually for older versions by editing main/inc/lib/fileUpload.lib.php (or claroline/inc/lib/fileUpload.lib.php) and replacing (in the php2phps() function) the $filename=%2E%2E%2E line by: 
 $filename=preg_replace%28'/\.(php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $fileName);

This will ensure that any .php. extension inside the file name will be replaced by a .phps extension and will prevent the PHP file from being executed.

Recent tests (2007-12-31) show that the zip patch seems to work with any 1.8 version. This means that you should be able to apply the same patch for all 1.8 versions based on the patch described above in [#Version 1.8.4]. We have only lightly tested it, and cannot take responsibility (as the usual GPL license says) about any problem caused by this procedure.

Necessary Security Weaknesses

Dokeos has some arguable weaknesses that are necessary to the execution of some extreme-case features (like Oogie for example). This is a list of PHP functions that might be disabled in your default PHP configuration but that need to be enabled for certain features of Dokeos to work. This list is taken out of the default disabled list on some Debian installations: show_source, shell_exec, system, popen, proc_open, proc_nice, ini_restore, passthru, dl. They can be found in the disable_functions directive in php.ini. We recommend sending the exceptions in the virtual host configuration of Dokeos, so that the rest of your PHP installations remain more secure.

  • shell_exec (optional) : needed by the FCKEditor spellchecker extension to rely on local programs for spellchecking
  • system (optional) : needed by the FCKEditor ImageManager extension to save images using the NetPBM local program
  • popen : needed by the PHPMailer class when using the local sendmail program
  • ini_restore (optional) : used by the FCKEditor FileManager extension to return php.ini settings to their initial value. Only used for track_errors and error_reporting though, so it should be safe unless it opens the door for an attack based on your error messages and your initial php.ini settings are not safe.
  • passthru (optional) : needed by the FCKEditor ImageManager extension to convert images
  • dl (optional) : needed by the PEAR package to load extensions. Should only be useful when all the needed extensions have not already been loaded.

Main security risks

In web environment, there are 3 main risks that need to be addressed:

  • SQL injections: always use Database::escape_string() to escape strings, always user $val === strval(intval($val)) to check a form value is an integer.
  • XSS attacks: Cross-Site Scripting attack abuse the trust the user has in a website to steal information from his cookies or other available info. This is done by making the user post unfiltered content on a website. To avoid, use Security::remove_XSS($suspicious_string) for any unreliable string that needs to be output on a webpage.
  • CSRF attacks: Cross-Site Request Forgeries abuse the trust a website has in a user to execute operations on such website by controlling the browser of the user (with JavaScript). To avoid, use Security::get_token() and Security::check_token() in any form allowing the user to record information in the database.

Security Advice

Passwords

  • use passwords that contain special characters like:

Security incidents procedure

When a security flaw is reported, please follow this procedure:

  • report it to security@dokeos.com and info@dokeos.com
  • inform the reporter that his report has been taken into account and ask for a delay before publication (time to develop the patch and apply it internally)

When a security incident (or accident) happens, please follow this procedure:

  • develop a patch
  • update this wiki page and provide the patch or patching procedure
  • send an information e-mail with a link to this wiki to info@dokeos.com, security@dokeos.com and partners@dokeos.com
  • publish the report of the patch on as many website as possible (after making sure that all internal contacts have been made aware of it). Do not publish links to the exploit. This would make it easier for crackers to find the exploit and attack non-patched portals.

Useful links

Retrieved from "http://www.dokeos.com/wiki/index.php/Security"
Personal tools