News 1.63 Vulnerability exploit [Module usage questions]

1

News 1.63 Vulnerability exploit

2009/10/15 10:21
Defkon1
Not too shy to talk
Posts: 151
Since: 2005/1/27

News 1.63 module is long time affected by a CSRF vulnerability on the new story/topic submit form (http://fatmatt.wordpress.com/2009/07/27/vulnerabilita-modulo-news-v1-63-per-xoops/)...

any fix available (protector apart)?

2

Re: News 1.63 Vulnerability exploit

2009/10/15 10:43
ghia
Community Support Member
Posts: 4953
Since: 2008/7/3 1

It seems to me (as far as I understand the article trough translation) that they use /modules/news/admin/index.php?op=newarticle as link.
Normally only user groups that may administrate the News module have access to this link.
Anonymous users get a 'Sorry, you don't have access to this page' message.
Don't understand how the exploit (could) work.

3

Re: News 1.63 Vulnerability exploit

2009/10/21 10:04
fatmatto
Just popping in
Posts: 6
Since: 2009/10/21

Hi everybody, let me explain a bit how it works.

You are right when you say that only regisered users with publishing rights have access to that link but here's the problem.

The submission form is NOT protected with a token or something preventing CSRFs. Infact i could write an evil html page with a hidden form that submits the form automatically when someone loads it in his browser (via the onload atrribute inside the body tag).

Now imagine that you're the admin of your XOOPS and news1.63 powered site, if i send you a link to my evil page and you open that link while your XOOPS session is not expired on the server, you will unconsciously send post data to your site.

4

Re: News 1.63 Vulnerability exploit

2009/10/23 18:53
HopeL
Just popping in
Posts: 29
Since: 2009/8/21

Sorry. I'm still confused. Can this 'exploit' be done without my help as the admin clicking on someone's link? In other words, can a hacker submit news articles from my XOOPS site if they do not have permission?

5

Re: News 1.63 Vulnerability exploit

2009/10/23 19:01
trabis
Core Developer
Posts: 2269
Since: 2006/9/1 1

Quote:

Infact i could write an evil html page with a hidden form that submits the form automatically when someone loads it in his browser (via the onload atrribute inside the body tag).

Can you show me?

If what you say can be done then I'm afraid news module is the less of our worries. You could just create a form that would create a php block that would delete all my database and, why not, delete all files.

6

Re: News 1.63 Vulnerability exploit

2009/10/23 21:19
frankblack
Just can't stay away
Posts: 830
Since: 2005/6/13

Would XOOPS_TOKEN prevent this issue? If would be handy if there would be a detailed description out there on how to work with XOOPS_TOKEN.

Speaking for myself: I need to break the code to understand it (or not), before using it. Means: I need some nicely coded examples. A kind of cheat sheet would be nice.

7

Re: News 1.63 Vulnerability exploit

2009/10/23 21:35
fatmatto
Just popping in
Posts: 6
Since: 2009/10/21

Hi and sorry for delay and for my not clear post.

First of all i think that a CSRFs Token would be Very helpful, even though it doesnt provide a 100% effective prevetion it raises attack's complexity with a minimum effort.

Here's my attack:
http://www.mediafire.com/?sharekey=68395ad6c66659b15a3d773badf21430e04e75f6e8ebb871

I provide files:
Evilpage.html is the page with the hidden frame, if you have an active administration session on a XOOPS site and then you load the evil page with your browser , it will silently post a new content on you news module.

xoopsnews.html is a copy of the form (provided by the news module). This form has to be adapted to your XOOPS installation because my script refers tohttp://localhost/xoops and that is my installation but maybe not yours.

All you have to do to try is
1) log in to your XOOPS site
2) open evilpage.html
3)wait 5 secs
4) open you XOOPS admin page (in particular news module administration)

I strongly suggest the news1.63 team to insert a csrf token

8

Re: News 1.63 Vulnerability exploit

2009/10/23 22:02
frankblack
Just can't stay away
Posts: 830
Since: 2005/6/13

When the token is not 100% safe, what would be then 100% safe? If we ever will reach 100%. Would a request uri check be of any help? Sorry for sounding amateurish, I AM amateurish.

9

Re: News 1.63 Vulnerability exploit

2009/10/23 22:23
fatmatto
Just popping in
Posts: 6
Since: 2009/10/21

In my opinion there is not a 100% effective solution in php.

A token will raise defenses against this kind of attacks but theoretically the attacker could guess the right token.

There are also other ways to (try to) prevent csrfs: you could check the referrer which tells you where the requests come from. If requests come from your website's domain then you accept them , otherwise you exit() :)

I have to tell you that even the referrer can be """""hacked""""" so even this prevention is not 100% effective.

If i had to choose between token and referrer prevention i would choose the token :)

I suggest you this articlehttp://shiflett.org/articles/cross-site-request-forgeries

10

Re: News 1.63 Vulnerability exploit

2009/10/23 22:29
HopeL
Just popping in
Posts: 29
Since: 2009/8/21

My apologies. I'm still a little lost on this one.

According to a previous post, before the exploit could take place I would need to:
1. be logged in to the site as admin
2. click on an evil link sent to me in email

Is the above correct? If so, just for the sake of asking, how would said evil person get my email address? The XOOPS site I manage is a paid membership site and not open to just anyone so any member emailing me directly would be a trusted source. Regardless, my email address is not public, only a contact form is available.

If the above is not correct, please help me understand. This all seems a bit complex for me.

Last question - does this exploit include all versions or only 1.63? What about prior versions?

Thanks,

Hope

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Re: News 1.63 Vulnerability exploit

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}