This is an old revision of the document!


Security Vulnerabilities

2010:0317 >> disabling Sahana security ACL via stream module

Ability to completely disable authentication via stream.php and commented out module authentication code within it.

http://sahana/index.php?mod=admin&act=acl_enable_acl Authenticates correctly.
http://sahana/stream.php?mod=admin&act=acl_enable_acl Does not.

The patch for this vulnerability disallow the streaming module from disabling the Sahana ACL.

Code Commits:
trunk » http://bazaar.launchpad.net/~sahana-php/s3/php-cvs-trunk/revision/4531
rel_0_6 » http://bazaar.launchpad.net/~sahana-php/s3/php-cvs-stable/revision/3798

2009:1210 >> mod variable exploits in lib_locale

Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page:

http://sahana/index.php?mod=mpr>%22%27><img%20src%3d%22javascript:alert(23270)%22>&act=lc_set 

Phishing can be done through an IFrame also via URL modifications:

http://sahana/index.php?mod=mpr'"><iframe%20src=http://google.com>&act=lc_set

Link Injection can also be achieved:

http://sahana/index.php?mod="'><IMG%20SRC="http://www.google.com/logos/newton10-tree.jpg">&act=lc_set 

The patch to this vulnerability cleanses the mod variable in lib_locale by making sure it meets the regular expression for a module's folder structure as noted here: http://wiki.sahana.lk/doku.php/dev:php_coding_convention#choosing_a_name_for_a_module_in_sahana_module

Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_locale/lib_locale.inc?r1=1.23.2.4&r2=1.23.2.5
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_locale/lib_locale.inc?r1=1.29&r2=1.30

2009:1029-2 >> MPR Module Exploits

Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page:

http://sahana/index.php?mod=mpr&act=search&type=all>%22%27><img%20src%3d%22http://www.google.com/intl/en_ALL/images/logo.gif%22>

Phishing can be done through an IFrame also via URL modifications:

http://sahana/index.php?mod=mpr&act=search&type=all'"><iframe%20src=http://demo.testfire.net>

Link Injection can also be achieved:

http://sahana/index.php?mod=mpr&act=search&type="'><IMG%20SRC="/WF_XSRF.html">

All three of the above attacks can be eliminated by purifying the $_GET['type'] parameter from the URL before doing anything with it. The patch involves adding an additional function to search.inc in /mod/mpr and then calling this function to clean the variable before its use.

Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/mod/mpr/search.inc?revision=1.17.24.8&view=markup
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/mod/mpr/search.inc?revision=1.31&view=markup

2009:1029-1 >> Session Fixation Exploit

In some cases an anonymous user could fake a PHPSESSID by modifying a local cookie and having Sahana use this as the new PHPSESSID. Old session keys were not being purged from the database when a user logs out. A user could brute force, social engineer, or use a cross-site browser exploit to achieve possession of an old session key and use this to authenticate to Sahana.

Fixes: Anonymous users are no longer able to inject a PHPSESSID as we regen a new PHPSESSID with every page view. Thus, the only way to authenticate into Sahana is through the login process. We also delete old session id's from the database when a user logs out, reducing the risk of old session keys remaining to 0.

More on this exploit here: http://shiflett.org/articles/session-fixation

Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.12.4.1&view=markup
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.16&view=markup

2009:1019 >> Null character URL Exploit

We have run Sahana through some of our security analysis software and identified a severe security vulnerability. It occurs when a misformed URL is sent to Sahana with a null character in the string. Example:

http://sahana/index.php?stream=text&mod=/../../../../../../../../../../../etc/passwd%00

This allows an attacker to essentially access any file on the web server. A patch has been committed to the trunk to check for null characters in the filename and remove them before opening the file.

To patch a Sahana site already in place, add the following line:

// fixes the security vulnerability associated with null characters in the $module string
$module = str_replace("\0", "", $module);

Right before this line:

// identify the correct module file based on action and module
$module_file = $APPROOT.'mod/'.$module.'/main.inc';

This issue can also be followed here : https://sourceforge.net/tracker/index.php?func=detail&aid=2908356&group_id=127855&atid=709778

Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/www/index.php?revision=1.65.2.3&view=markup
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/www/index.php?revision=1.84&view=markup


Navigation
QR Code
QR Code security (generated for current page)