1
Defkon1
News 1.63 Vulnerability exploit
  • 2009/10/15 10:21

  • Defkon1

  • Not too shy to talk

  • Posts: 151

  • Since: 2005/1/27


News 1.63 module is long time affected by a CSRF vulnerability on the new story/topic submit form (http://fatmatt.wordpress.com/2009/07/27/vulnerabilita-modulo-news-v1-63-per-xoops/)...

any fix available (protector apart)?

2
ghia
Re: News 1.63 Vulnerability exploit
  • 2009/10/15 10:43

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


It seems to me (as far as I understand the article trough translation) that they use /modules/news/admin/index.php?op=newarticle as link.
Normally only user groups that may administrate the News module have access to this link.
Anonymous users get a 'Sorry, you don't have access to this page' message.
Don't understand how the exploit (could) work.

3
fatmatto
Re: News 1.63 Vulnerability exploit
  • 2009/10/21 10:04

  • fatmatto

  • Just popping in

  • Posts: 6

  • Since: 2009/10/21


Hi everybody, let me explain a bit how it works.

You are right when you say that only regisered users with publishing rights have access to that link but here's the problem.

The submission form is NOT protected with a token or something preventing CSRFs. Infact i could write an evil html page with a hidden form that submits the form automatically when someone loads it in his browser (via the onload atrribute inside the body tag).

Now imagine that you're the admin of your XOOPS and news1.63 powered site, if i send you a link to my evil page and you open that link while your XOOPS session is not expired on the server, you will unconsciously send post data to your site.

4
HopeL
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 18:53

  • HopeL

  • Just popping in

  • Posts: 29

  • Since: 2009/8/21


Sorry. I'm still confused. Can this 'exploit' be done without my help as the admin clicking on someone's link? In other words, can a hacker submit news articles from my XOOPS site if they do not have permission?

5
trabis
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 19:01

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Quote:

Infact i could write an evil html page with a hidden form that submits the form automatically when someone loads it in his browser (via the onload atrribute inside the body tag).


Can you show me?

If what you say can be done then I'm afraid news module is the less of our worries. You could just create a form that would create a php block that would delete all my database and, why not, delete all files.

6
frankblack
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 21:19

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


Would XOOPS_TOKEN prevent this issue? If would be handy if there would be a detailed description out there on how to work with XOOPS_TOKEN.

Speaking for myself: I need to break the code to understand it (or not), before using it. Means: I need some nicely coded examples. A kind of cheat sheet would be nice.

7
fatmatto
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 21:35

  • fatmatto

  • Just popping in

  • Posts: 6

  • Since: 2009/10/21


Hi and sorry for delay and for my not clear post.

First of all i think that a CSRFs Token would be Very helpful, even though it doesnt provide a 100% effective prevetion it raises attack's complexity with a minimum effort.

Here's my attack:
http://www.mediafire.com/?sharekey=68395ad6c66659b15a3d773badf21430e04e75f6e8ebb871

I provide files:
Evilpage.html is the page with the hidden frame, if you have an active administration session on a XOOPS site and then you load the evil page with your browser , it will silently post a new content on you news module.

xoopsnews.html is a copy of the form (provided by the news module). This form has to be adapted to your XOOPS installation because my script refers to http://localhost/xoops and that is my installation but maybe not yours.

All you have to do to try is
1) log in to your XOOPS site
2) open evilpage.html
3)wait 5 secs
4) open you XOOPS admin page (in particular news module administration)


I strongly suggest the news1.63 team to insert a csrf token



8
frankblack
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 22:02

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


When the token is not 100% safe, what would be then 100% safe? If we ever will reach 100%. Would a request uri check be of any help? Sorry for sounding amateurish, I AM amateurish.

9
fatmatto
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 22:23

  • fatmatto

  • Just popping in

  • Posts: 6

  • Since: 2009/10/21


In my opinion there is not a 100% effective solution in php.

A token will raise defenses against this kind of attacks but theoretically the attacker could guess the right token.

There are also other ways to (try to) prevent csrfs: you could check the referrer which tells you where the requests come from. If requests come from your website's domain then you accept them , otherwise you exit() :)

I have to tell you that even the referrer can be """""hacked""""" so even this prevention is not 100% effective.

If i had to choose between token and referrer prevention i would choose the token :)


I suggest you this article http://shiflett.org/articles/cross-site-request-forgeries

10
HopeL
Re: News 1.63 Vulnerability exploit
  • 2009/10/23 22:29

  • HopeL

  • Just popping in

  • Posts: 29

  • Since: 2009/8/21


My apologies. I'm still a little lost on this one.

According to a previous post, before the exploit could take place I would need to:
1. be logged in to the site as admin
2. click on an evil link sent to me in email

Is the above correct? If so, just for the sake of asking, how would said evil person get my email address? The XOOPS site I manage is a paid membership site and not open to just anyone so any member emailing me directly would be a trusted source. Regardless, my email address is not public, only a contact form is available.

If the above is not correct, please help me understand. This all seems a bit complex for me.

Last question - does this exploit include all versions or only 1.63? What about prior versions?

Thanks,

Hope

Login

Who's Online

350 user(s) are online (274 user(s) are browsing Support Forums)


Members: 0


Guests: 350


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits