From: mose <mo...@ti...> - 2004-12-12 21:41:06
|
yo ** If you manage a tikiwiki website, please read carefully ** To all tikiwiki administrators and developers, here is an important announcement concerning security of existing Tikiwiki websites, in all versions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The security flaw There was no check on the uploaded images in the wiki edit page. A malicious user with permission to upload image could upload any php script and call it directly in the tikiwiki file tree, from img/wiki_up/ directory. Actually the flaw is quite trivial, stupid, and obvious. It's rather amazing that nobody fixed it before. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The security cure : Repair your tiki without delay ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check your Tikiwiki sanity Search for files with extensions .php, .php3, .php4 or .phtml in your img/wiki_up (or img/wiki_up/$tikidomain/ in case of multitiki). You can use the following onelines to find them out : find img/wiki_up -type f -name "*.php" find img/wiki_up -type f -name "*.php3" find img/wiki_up -type f -name "*.php4" find img/wiki_up -type f -name "*.phtml" . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check your (apache) logs To find out if someone used that flaw to inject unwanted php file, you can grep your logs (if you can use grep). grep 'img/wiki_up/[^"]*.ph\(p\(3\|4\)\?\|tml\) ' \ var/log/apache/yourtiki.access.log or if your logs are rotated and if you can use zgrep zgrep 'img/wiki_up/[^"]*.ph\(p\(3\|4\)\?\|tml\) ' \ var/log/apache/yourtiki.access.log* . . . . . . . . . . . . . . . . . . . . . . . . . . . . Apply a fix The fastest emergency fix is to disable the "Pictures" feature in the wiki admin panel (/tiki-admin.php?page=wiki). The alternative inhibition of pictures upload on wiki pages is to limit the feature by setting the tiki_p_upload_picture permission in the groups admin panel. But for a real fix, and to still be able to include pictures on wiki pages, you need to upgrade or patch the tiki-editpage.php file : * CVS users : Just update your version, the fix is in all branches from 1.7 to 1.10 cvs -q update -dP * Other users : Add the following line in tiki-editpage.php if (preg_match('/\.(gif|png|jpe?g)$/i',$picname)) just before the line containing move_uploaded_file( ... with version 1.7.x, on line 106 with version 1.8.x, on line 138 with version 1.9rcx, on line 173 and 181 with version 1.10, on line 172 . . . . . . . . . . . . . . . . . . . . . . . . . . . . The sysadmin way Alternatively (or in more) to the file upgrade/patch, you can inhibit the parsing of php files in the img/ dir. * If you use apache, but don't have access to the main configuration file, you can create a .htaccess in img/wiki_up containing <FilesMatch "\.ph(p(3|4)?|tml)$"> order deny,allow deny from all </FilesMatch> if it doesn't work, ask your admin to activate .htaccess power with AllowOverride Limit in the Directory directive of your tikiwiki tree. * if you can change your apache conf because you admin it, add <Directory /var/www/tiki/img> <FilesMatch "\.ph(p(3|4)?|tml)$"> order deny,allow deny from all </FilesMatch> </Directory> You need to adapt the path for the directory to match with the location of your img/ dir. Both methods above just block the access to php files in img/dir, but you may also want to inhibit .pl, .vb and other extensions if your global configuration enables those extensions to be parsed by another preprocessor. Read more on http://httpd.apache.org/docs-project/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - New releases warming up In each released branch, a new version will be available in the next few days, namely 1.7.9, 1.8.5 and 1.9dr4. If you didn't apply one of the solutions listed above : ** you should upgrade as soon as possible! ** Remember that you always can alert the tikiwiki security group by sending a mail to security at tikiwiki.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mose, for the Tikiwiki Security Bunch-of-people ( the content of this announcement is on http://tikiwiki.org/art97 ) |