------> IMPORTANT EE 1.5 SECURITY ISSUE <-------

[Pekka]

As reported in http://photography-on-the.net/forum/...d.php?t=177456 , there is a security issue which makes it possible to include remote files with EE 1.5. To make this happen your PHP must have setting

register_globals = on

and also

allow_url_fopen = on


TO TEST IF YOU ARE VULNERABLE TO THIS ATTACK:

save following code as test.php and save/upload it in your EE folder.

PHP Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
    <title>register_globals test</title>
</head>
<body>
<?php
error_reporting(0);
if (!isset($x)) {
    print "x is not defined";
}
if (isset($x)) {
    print "x = " . $x;
    print "<hr>";
    include ($x . "photo.php");
}

?>
</body>
</html>

Now browse to your test.php, e.g. http://www.yoursite.com/gallery/test.php . You should see a page with text:

x is not defined

Then add in the end of the address

?x=http://photography-on-the.net/gallery/

e.g. http://www.yoursite.com/gallery/test...e.net/gallery/ and click enter.

RESULTS:

If you see

x is not defined

You are ok.

------------------------------------------

If you see

x = http://photography-on-the.net/gallery/

It means register_globals is on, and allow_url_fopen = off in your php configuration. You are not affected by this specific vulnerability, but you should immediately ask your ISP to set register_globals off.

------------------------------------------

If you see

an EE gallery page (with text x = http://photography-on-the.net/gallery/ on top)

It means register_globals is on, and allow_url_fopen = on in your php configuration, you are vulnerable to this attack type, and you must set register_globals off ASAP!


CHANGE YOUR EE FOLDER NAME UNTIL YOU HAVE THOSE SETTINGS CORRECT. I will post files to fix it for those who cannot get php settings changed, in few minutes

If your ISP has set both these on then request immediately that both settings should be OFF (every decent ISP should know this without saying).

------------------------------------------

DELETE test.php from your server IMMEDIATELY after you have seen the results!

[Pekka]

Quote:

Originally Posted by tommykjensen

Can this be done without having access to php.ini?

.htaccess with

php_flag register_globals off

should do it.

or

php_flag register_globals 0

On Apache 2 this will not work. It has to be put by your host in the VirtualHost handler for your website in httpd.conf.

[Pekka]

If you can not change register_globals download

http://photography-on-the.net/ee/files/1_5_secured.zip

and replace all files with the ones in the zip. Main thing is to have a line

include_once ("toroot.php");

on the very top portion of the php code, and make sure that there is a toroot.php in folder with that file. The zip contains many files that really do not need that fix, but I did all possible ones nevertheless.

[HMetal]

Thanks for giving folks a temporary solution Pekka. I didn't get exploited because I have had register_globals disabled.

It is never a good idea to use register_globals on anyways. Perhaps a note regarding this in the EE install file will render moot future incidents..

[calvorn]

My ISP (icdSoft) allows a php.ini in any directory where there are PHP files.

They suggest:

Unfortunately, it will not be possible to change the default register_globals value.

However, you can create your own php.ini configuration files and place them inside the folders where you need to alter the default PHP configuration. You simply need to create a file named "php.ini" in each directory where you want to customize the PHP settings, and insert the following lines inside:

register_globals = off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off


The first line turns off the "register_globals" variable, and the rest of the lines are needed for compatibility reasons.

Hope this helps.

Cal

[Pekka]

Quote:

Originally Posted by HMetal

Thanks for giving folks a temporary solution Pekka. I didn't get exploited because I have had register_globals disabled.

It is never a good idea to use register_globals on anyways. Perhaps a note regarding this in the EE install file will render moot future incidents..

Yes in 2.0 there is an install checker tool that warns about register_globals if on. I think that I will make register_globals = off as REQUIREMENT to avoid any possible problems (also with server environment variables which can be _anything_ and thus able to override any variable on a whim).

Also, to reply issues you previously mentioned: yes, EE 2 will have much better security: all incoming globals are always filtered, all publicly needed include scripts are in "basecode" directory for easy folder protection, admin area warns persistently when default foldername, username or pass are in use etc. etc..

Sorry again for reacting so slowly. I was in Norway playing three concerts. Just flew back to find this happening.

[HMetal]

Quote:

Originally Posted by Pekka

[...]
Sorry again for reacting so slowly. I was in Norway playing three concerts. Just flew back to find this happening.

Thanks Pekka, for the notes regarding EE2 and especially for having the foresight to use a basecode directory.

As for reacting slowly, I don't think you reacted slow and I am glad that, by Monday morning (my time), you have given people a solution to close up the exploit.

What you should be proud of is that you got this sealed up before the issue made it to Security Focus and the other security-conscious websites. At least now, when and if they do post and vulnerability notice, there is an instant solution without waiting for you to respond.

As someone running EE and a longtime PHP coder, I have to say that I'm impressed.

Good job.

[kd6lor]

Pekka, thanks for the reply. Not to sound like those who are impatient about the release of 2.0, but if the release is soon, rather than rebuilding the directories on my website to eliminate any potential problems, I would be willing to wait for EE 2.0. Is it likely to be soon?

Thanks, and thanks as always for your great software and support.

Paul Jaruszewski

[segal3]

Make sure you look through every directory in your gallery folder. There are files scattered everywhere...and some that are more than difficult to delete.

[NetButch]

My /gallery/temp folder was full of junk, and I cant delete or CHMOD any of it.. contacting my server admin to see if he can get rid of it for me. YUCK!

[pukkita]

Kudos Pekka for sorting this quickly...

For those with undeletable folders (I assume they're owned by your user):

chflags -R nouchg undeletablefolder
chflags -R nouunlnk undeletablefolder
chmod -R +w undeletablefolder

and try to delete them again.

please do

ls -lod gallery/temp
ls -lo gallery/temp/

and paste the output here, that way will be easier to post a find command that resets the permissions in order to easily delete the offending files.

[chriz]

I get this response in the browser window:

"; include ($x . "photo.php"); } ?>

And the title of the window is register_globals test - Mozilla firefox

[chriz]

Sorry, renamed the test file to test.php rather than test.htm and got as result:
x is not defined.

[::John::]

Thanks for that.

Register_Globals set to off now.

[devenh]

My ISP told me they could not make the change to .htaccess at the server level and advised me to change my local .htaccess file. I did so and this worked.

Deven