Re: [Apc-aa-general] Security fix in AA - update from SVN recommended

[Gert S. <gst...@ri...>]

Hi all,

First of all, thanks to Honza for acknowledging and fixing the issues I
reported to him earlier, in such a quick manner.
I think they are important enough for people to upgrade their existing
installations as soon as possible to prevent SQLi attack on their sites.

Apart from the patch that Honza committed to SVN on 31/1/2014, which
addresses the SQLi problem,
I'd recommend some additional changes to production sites to prevent or
mitigate other security issues found with ActionApps:

* Make sure to configure a DB error page in /apc-aa/include/config.php3
/to prevent XSS attacks on your site. The easiest way might be to
configure it to show your main page when a DB Error occurs (instead of
outputting the SQL string for debugging, which may be vulnerable to XSS
attacks), like this:

//** Page shown on database error//
// *  If you do not specify this page, then some default error messages
are//
// *  displayed. It is good for debuging, but it is better to not show
this//
// *  messages to user on production server for security reasons *///
//
//define("DB_ERROR_PAGE", "/");//
//
/
* Remove the following files from your production sites, to prevent
information disclosure about the version of ActionApps & Xinha editor
your are running:

/apc-aa/CHANGES//
//apc-aa/misc/htmlarea/release-notes.txt//
//apc-aa/misc/htmlarea/release-notes.html//
/
//
* If at all possible completely remove or replace the Xinha Html editor
present in /apc-aa/misc/htmlarea/, as it is an old, unmaintained version
which has known vulnerabilities that may compromise the security of your
site <https://secunia.com/advisories/product/29927/?task=advisories>if
exploited.


On 02/20/2014 12:50 PM, Bako Mihaly wrote:
> Hi Honza,
>
> thank you very much, in this case I will try to upgrade. I hope I will 
> not need other patching.
>
> best,
>
> Misi
>
> On 2014-02-20 19:18, Honza Malik wrote:
>> Hi Misi,
>>
>>> did:
>>>
>>> svn switch --relocate
>>> https://apc-aa.svn.sourceforge.net/svnroot/apc-aa/trunk
>>> https://svn.code.sf.net/p/apc-aa/svn/trunk .
>> Good. SVN repository of Sourceforge has moved some time ago, so the provided
>> command is necessary for older SVN installs.
>>   
>>> got the update, and after database update failed with:
>>>
>>> *Warning*: mysqli_connect() [function.mysqli-connect
>>> <http://ekonoled.ro/aa/service/function.mysqli-connect>]: (HY000/2005):
>>> Unknown MySQL server host 'p:localhost' (1) in
>>> */home/ekledo/public_html/apc-aa_2.50/include/phplib/db_mysql.inc* on
>>> line *72*
>>>
>>> *Database error:* connect (p:localhost, ekledo_adbusr, $Password,
>>> ekledo_aadb) failed - 2005 - Unknown MySQL server host 'p:localhost' (1)
>>> *Error Number:*: 0
>>>
>>> I am currently running PHP Version 5.2.17*
>> We switched from deprecated ext/mysql to modern ext/mysqli extension. The new
>> extension supports persistent connection (see ...host 'p:localhost'.... above)
>> from PHP 5.3. So yes - it is PHP version related. You can fix this by using
>> Non persistent connection to the database - see AA_USE_NON_PERSISTENT_CONNECT
>> in your config.php3.
>>
>> This will solve the DB connection problem, but there are probably more spots,
>> where we use PHP 5.3 constructs (like the one in site.php3* line *115*)
>> The tested version of PHP with current AA is PHP 5.3 - 5.5, so I would
>> recommend to upgrade PHP.
>>
>> The register_globals is no longer issue for current AA. It could be the
>> problem for other apps, of course.
>>   
>>> Last time I had to downgrade PHP because register globals = off did not
>>> work. Now if I upgrade php all other sites with reg.globals = on will
>>> stop - meaning that I have to upgrade all sites at once and pray new
>>> version will work because I can not go back afterwards.
>> You have to upgrade PHP in near future in all cases, so now is probably the
>> right time to do that. If you do not have time to convert all of your sites to
>> PHP 5.5, I can patch the perm_sql.php3 file for you, so you can just replace
>> it in your old AA install. However, this it just temporary solution.
>>
>>     Honza
>>
>>   
>>
>>
>> Dne Čt 20. února 2014 Bako Mihaly napsal(a):
>>> Hi Honza!
>>>
>>> After
>>>
>>> svn update
>>>
>>> got:
>>>
>>> svn: Repository moved permanently to
>>> 'https://svn.code.sf.net/p/apc-aa/svn/trunk'; please relocate
>>>
>>> did:
>>>
>>> svn switch --relocate
>>> https://apc-aa.svn.sourceforge.net/svnroot/apc-aa/trunk
>>> https://svn.code.sf.net/p/apc-aa/svn/trunk .
>>>
>>> got the update, and after database update failed with:
>>>
>>> *Warning*: mysqli_connect() [function.mysqli-connect
>>> <http://ekonoled.ro/aa/service/function.mysqli-connect>]: (HY000/2005):
>>> Unknown MySQL server host 'p:localhost' (1) in
>>> */home/ekledo/public_html/apc-aa_2.50/include/phplib/db_mysql.inc* on
>>> line *72*
>>>
>>> *Database error:* connect (p:localhost, ekledo_adbusr, $Password,
>>> ekledo_aadb) failed - 2005 - Unknown MySQL server host 'p:localhost' (1)
>>> *Error Number:*: 0
>>>
>>> I am currently running PHP Version 5.2.17*
>>>
>>> I got when connecting to site:
>>>
>>> Parse error*: syntax error, unexpected ':' in
>>> */home/ekledo/public_html/apc-aa_2.50/modules/site/site.php3* on line *115*
>>>
>>> Is this because PHP is to old?
>>>
>>> Last time I had to downgrade PHP because register globals = off did not
>>> work. Now if I upgrade php all other sites with reg.globals = on will
>>> stop - meaning that I have to upgrade all sites at once and pray new
>>> version will work because I can not go back afterwards.
>>>
>>> What do you suggest?
>>>
>>> best,
>>>
>>> Misi
>>>
>>> On 2014-02-19 19:15, Honza Malik wrote:
>>>> Hi all,
>>>>
>>>>      Gert Steenssens found SQL INJECTION problem in our SQL permission
>>>>      system,
>>>>
>>>> which were there for a long time from its beginning phase.
>>>>
>>>>      All systems, which uses SQL based permission system should be updated
>>>>      (see
>>>>
>>>> the line define("PERM_LIB", "sql") in your config.php3 script). The
>>>> systems which uses LDAP permission system are not affected.
>>>>
>>>>      The database structure is stable for quite a long time, so any update
>>>>      from
>>>>
>>>> Subversion should be quite easy - just type:
>>>>      svn update
>>>>      
>>>>      The current AA in SVN works well with PHP 5.3, 5.4 and 5.5 and MySQL
>>>>      >= 5.0
>>>>
>>>> (or MariaDB).
>>>>
>>>>      Thanks Gert for the report,
>>>>      
>>>>            Honza
>>>>
>>>> -------------------------------------------------------------------------
>>>> ----- Managing the Performance of Cloud-Based Applications
>>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>>> Read the Whitepaper.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clk
>>>> trk _______________________________________________
>>>> "Did you get answers to your ActionApps-related queries? If yes, please
>>>> help the ActionApps community by uploading the answers onto appropriate
>>>> space in the ActionApps documentation wiki. See the *How to contribute*
>>>> section today http://actionapps.org/en/How_To_Contribute"
>>>> _______________________________________________
>>>> apc-aa-general mailing list
>>>> apc...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/apc-aa-general
>>> ---------------------------------------------------------------------------
>>> --- Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktr
>>> k _______________________________________________
>>> "Did you get answers to your ActionApps-related queries? If yes, please
>>> help the ActionApps community by uploading the answers onto appropriate
>>> space in the ActionApps documentation wiki. See the *How to contribute*
>>> section today http://actionapps.org/en/How_To_Contribute"
>>> _______________________________________________
>>> apc-aa-general mailing list
>>> apc...@li...
>>> https://lists.sourceforge.net/lists/listinfo/apc-aa-general
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>> _______________________________________________
>> "Did you get answers to your ActionApps-related queries? If yes, please
>> help the ActionApps community by uploading the answers onto appropriate
>> space in the ActionApps documentation wiki. See the *How to contribute*
>> section today http://actionapps.org/en/How_To_Contribute"
>> _______________________________________________
>> apc-aa-general mailing list
>> apc...@li...
>> https://lists.sourceforge.net/lists/listinfo/apc-aa-general
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> "Did you get answers to your ActionApps-related queries? If yes, please
> help the ActionApps community by uploading the answers onto appropriate
> space in the ActionApps documentation wiki. See the *How to contribute*
> section today http://actionapps.org/en/How_To_Contribute"
> _______________________________________________
> apc-aa-general mailing list
> apc...@li...
> https://lists.sourceforge.net/lists/listinfo/apc-aa-general


-- 
Gert Steenssens / EsperanzaProxima.net
gst...@ri...
--
Cryptography is the ultimate form of non-violent direct action.
Julian Assange - 'Cypherpunks: Freedom and the Future of the Internet'  

Please considering using OpenPGP encryption when sending me email:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFCtOrkBCADro4JceDLqvGImabkyK9DDfNoq/HOZ6Uj1lx55Jzn4c5e5M1pD
FoLM2shFZxrOtWKHMC7yfF3zmcvROs3D2kmzJt1+JLcatce1ISIg9OGwyYctFrTs
44CyQbj/Cinp5mza4s0u6aoyf4GCSQAmwMYFD7BZl6nqXmlAbL/HsJTFHlnjMlpX
cYmNt7DZahdntZdon0Aw3lcDSqwClkxd3nSbSaxHenlskGhElssJwCa+Atz3jNX7
i2z66FuIGNsxO72rYQgsP8wpmvbKLngqtyHwGmKD/ku2xjjpGVbhGVj5xmmRqohU
Qs1IPW1aRr+thL+nUKQGP409Vob78eKBSDVhABEBAAG0JUdlcnQgU3RlZW5zc2Vu
cyA8Z3N0ZWVuc3NAcmlzZXVwLm5ldD6JARwEEAECABAFAlCtOu0JEPRqXrSeFozu
AACuWgf7BwjKzdC8OJAC2KLH4q++fSE0LW+EGqRY2LNK4i1b4Qx/ZzrfIgxekvcc
XjghSD/EhKn4SKaIcjzRpEgZIW2w/BlpkBGWpGn3D9KRbsWhCDrhgsBdnBWmH3Lm
geYLjgE8sJEna6whrXuuLx8wgyFSdbzpL+yafw9/pBdBU9y+bRdT5HUfmd1TSRl+
B89q0vBAKG4KP+jFjh3Fcu4jpTeleuRl9kM1sBciBUbkvIPHQd1a9n/BW3bwEc/x
m6UF7mVmvUaSkHO7tCBacDmtWsBilq9fO6+KCw3OfOfAJr3ta0miihWLoPZXZTRs
T26VEAvIdnK94/zxHe9JUFr4+9O+qw==
=Kk5i
-----END PGP PUBLIC KEY BLOCK-----