recommend way of disabling standard page pending security fix?: The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Folks:

Per

http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=30414

We're awaiting v7.02.05 to fix vulnerabilities in weblinks.php and downloads.php.

Until then, it seems like a good idea to completely disable these pages. Simply deleting them from the server has been suggested, but I verified: users linking to these pages get a "Not Found" error -- not exactly the most user-friendly result.

Would it be better for the users to get a normal PF page containing just the text "This page temporarily disabled." in the center column? Is there a template somewhere I could use to accomplish this? Otherwise I can try to cut-down the code in one of these pages --or some other more simple one-- but it sure would be a lot easier if someone has already done that and posted the proven results. Where?

Probably unnecessary, but I'll note that simply removing the links to these pages can keep users from getting the "Not Found" notice, but doesn't protect the site against the vulnerability. The best solution I can think of is to leave the site links alone and replace the content of these files with just what's necessary to display "This page temporarily disabled." When v7.02.05 is installed, the proper (and now secure) content of these files will be restored, and everything should work correctly, with minimal trouble.

TIA

0 replies

You can use the same method I've described here and redirect to index.php when accessing one of those pages.
[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]$url = htmlspecialchars($_SERVER['REQUEST_URI']);
$page = FUSION_SELF;
//Restricted pages
$restricted_pages = array("downloads.php", "weblinks.php"

;
//Check
if (!strpos($url, '/administration/'

&& in_array($page, $restricted_pages)) {
redirect(BASEDIR."index.php"

;
}[/syntaxhighlighter]
Add this code to a panel, or to theme.php, includes/header_includes.php; wherever you like.
NOTE: Is important if you put the code in a panel, that panel to be to left or right side only and preferably to be the first.

Edited by JoiNNN on 10-03-2012 23:20, 12 y

0 replies

Nice solution. Would this not be useful in core? Especially if you can add them via control panel and maybe set time frames.... So people cant access pages you already created but don't want them to see yet.... Good idea and solution....

Edited by Tyler on 10-03-2012 23:37, 12 y

0 replies

Thanks for your ideas.

I just solved the problem by making a backup of each of the original files. Then I gutted the interior, and added php code to echo

This page (weblinks) temporarily disabled for security reasons.

and

This page (downloads) temporarily disabled for security reasons.

in weblinks.php and downloads.php respectively. The resulting pages look OK -- nothing broke.

When the new release arrives, installing it should obliterate these pages, and I'm done. Until then, I can only hope I've not waited too long to close off these vulnerable pages.

0 replies

Just sticking this in your maincore works quite well. Then you can just edit the array any time you need to change what is offline. Nice work ^_^

Quote

JoiNNN wrote:

You can use the same method I've described here and redirect to index.php when accessing one of those pages.
[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]$url = htmlspecialchars($_SERVER['REQUEST_URI']);
$page = FUSION_SELF;
//Restricted pages
$restricted_pages = array("downloads.php", "weblinks.php");
//Check
if (!strpos($url, '/administration/') && in_array($page, $restricted_pages)) {
redirect(BASEDIR."index.php");
}[/syntaxhighlighter]
Add this code to a panel, or to theme.php, includes/header_includes.php; wherever you like.
NOTE: Is important if you put the code in a panel, that panel to be to left or right side only and preferably to be the first.

0 replies

why is there still no patch for this ? .....

0 replies

Quote

Lowerland wrote:

why is there still no patch for this ? .....

Ummm, yeah. Is it a good idea to publicly announce vulnerabilities in specific pages unless a fix is immediately available?

0 replies

I've tested this so-called vulnerability on my own site with absolutely no conclusive results using standard url sql injection techniques.

There is absolutely no proof that I can find that the above mentioned (and mentioned here) vulnerability exists.

I've also checked these claims using online tools and one of my friends with sql injection experience (identity withheld).

Maybe the team isn't officially announcing the vulnerability because there is no vulnerability? Maybe this was cooked up by some trolls that are trying to ruin php-fusion's reputation? (just speculation there)

I'm kinda on the fence about this one. I'll disable those pages on my site once someone shows me concrete evidence of such attacks.

0 replies

skpacman:

Thanks for your skepticism.

As I reconstruct this, on 22 February, a PF site manager reported that 2 of his sites were hacked and that he had seen hacker's sites describing the vulnerability, here:

http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=30414#post_167491

Yes, that initial report might have been mistaken, and what he found on the net about the vulnerability might have been dis-information. The post itself could be complete dis-information.

The next post, that same day, was from someone self-identified as a PHPFusion Lead Developer. He responded that a new release, v7.02.05, would be forthcoming. This person is tagged as an admin, so presumably he is who he says he is.

Time for me to apologize: my previous post said that the vulnerability was "announced". The implication being that someone official did the announcing. I regret this implication. In fact, the Lead Developer did NOT confirm the existence of a vulnerability. Which was the best he could do, under the circumstances. How to balance free interchange of information on forums with the arguable value of keeping actual vulnerabilities quiet until a fix is available? No easy answer, I'm afraid.

I'll match your skepticism with my own: How do I know _your_ post isn't dis-information? <grin>

In the case of the site I manage, the pages weblinks.php and downloads.php are very low-priority, so I was not reluctant to disable them.

0 replies

Good point, hen3ry.

I posted the results of my own testing I did on my own site. It doesn't mean the vulnerability doesn't exist. It just means I, an online tool, and my hacker source, were unable to reproduce the attack with our own means.

Agreed, it wasn't officially announced as a vulnerability. I'm skeptical of most, if not all, hacking reports by online sources other than our own MT here, due to the fact that the vast majority of reports outside of our MT are specifically targeted to make the system in question look like a bad system (in this case our weblinks and downloads pages).

Still, if there is a problem with those pages, I would like to see some proof (screenshots, etc.) or an update to the core to fix these problems.

I could easily disable my weblinks without too much thought behind it. My downloads section, however, is very high priority and would take some careful tinkering or be replaced with an approved (and secure) 3rd party infusion.

0 replies

Honestly, I/we can't find any SQL injection possibilities in these files.

If anyone do, please report it, otherwise I can only say that it's safe - or the whole system is bad.

Edited by Korcsii on 15-03-2012 01:17, 12 y

0 replies

@Korcsii - thanks for clearing that up. I tried to reproduce the claimed attack but was unable to trying several different techniques.

0 replies

skpacman:

Thanks for your response. It is good that you understand the issues well enough to run tests. I honestly have no clue. I once read some material on SQL injection, didn't understand it, and --with too many other priorities-- gave up. And that's just one of many types of vulnerabilities, yes?

Brief history: the PFv6.x site I managed was badly damaged by hackers several years ago. Recovery was very painful. (Burned!) I never figured out how they got in. It seemed clear at the time that v7 was more secure so I upgraded the site as the last step of recovery.

People "outside" are motivated to slam phpFusion? How do they benefit from spreading reports that PF is "bad"? I don't get it. (No sarcasm implied -- I just don't see it.)

Sorry, I don't have enough experience with downloads.php to make even slightly intelligent comments or suggestions. We have a very large number of downloads, mostly images, but they are all made available via long lists of links custom pages. With no thumbnails and somewhat casual meta-information. No download counts are maintained. This was established before I arrived. I guess my predecessor couldn't face adding thousands of files through PF --> Admin Panel --> Content Admin --> Downloads. I followed precedent.

0 replies

Oke i have done some testing in the meanwhile too

but it seems that there are no sql injections possible as far as i have tested it

0 replies

An independent developer's opinion is that, the 'hacker' not even tried it, just checked the files, and found a $_GET in the sql query (it's other question, that is previously checked by an isNum).

Anyway, he is not an official hacker, just a web developer.

Edited by Korcsii on 15-03-2012 13:35, 12 y

0 replies

Quote

hen3ry wrote:

skpacman:

Thanks for your skepticism.

As I reconstruct this, on 22 February, a PF site manager reported that 2 of his sites were hacked and that he had seen hacker's sites describing the vulnerability, here:

http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=30414#post_167491

Yes, that initial report might have been mistaken, and what he found on the net about the vulnerability might have been dis-information. The post itself could be complete dis-information.

The next post, that same day, was from someone self-identified as a PHPFusion Lead Developer. He responded that a new release, v7.02.05, would be forthcoming. This person is tagged as an admin, so presumably he is who he says he is.

Time for me to apologize: my previous post said that the vulnerability was "announced". The implication being that someone official did the announcing. I regret this implication. In fact, the Lead Developer did NOT confirm the existence of a vulnerability. Which was the best he could do, under the circumstances. How to balance free interchange of information on forums with the arguable value of keeping actual vulnerabilities quiet until a fix is available? No easy answer, I'm afraid.

I'll match your skepticism with my own: How do I know _your_ post isn't dis-information? <grin>

In the case of the site I manage, the pages weblinks.php and downloads.php are very low-priority, so I was not reluctant to disable them.

0 replies

DJQUICK-E, could you please use the quote tags properly, your text insertions are very hard to see and the readability suffers from it.

0 replies

Sorry about that. I must have push the wrong button or something. I just wanted to respond about I am glad there are no issues of venerability for PHP FUSION..:)

0 replies

Category Forum

Announcements & Security Issues

Labels

None yet

Statistics

Views 0 views
Posts 17 posts
Votes 0 votes
Topic users 9 members

9 participants

Notifications

Track thread

You are not receiving notifications from this thread.

recommend way of disabling standard page pending security fix?

17 posts

PHPFusion

Resources

Community

Development