security issues

Discuss PivotX 2.0.x here. Non-PivotX related discussions go in The Drain.

security issues

Postby jodel » Thu Mar 25, 2010 8:41 am

Hi !

I just checked my webserver with skipfish (the new google tool) and found this high risk issue, how can I fix it?:

PUT request accepted (1)
http://www.MYDOMAIN/pivotx/modules/module_debug.php/PUT-sfi9876 [ show trace + ]


it also found these medium risk issues:

XSS vector in document body (5)
http://www.MYDOMAIN/index.php?t=>">'>'"<sfi000272v620228>$1&rewrite=tag [ show trace + ]
Memo: injected '<sfi...>' tag seen in HTML
http://www.MYDOMAIN/index.php?x=visitorpage&w=.htaccess.aspx>">'>'"<sfi000293v620228>$2 [ show trace + ]
Memo: injected '<sfi...>' tag seen in HTML
http://www.MYDOMAIN/pivotx/ajaxhelper.php?function=.htaccess.aspx>">'>'"<sfi000229v620228> [ show trace + ]
Memo: injected '<sfi...>' tag seen in HTML
http://www.MYDOMAIN/pivotx/index.php?page=login [ show trace + ]
Memo: injected '<sfi...>' tag seen in HTML
http://www.MYDOMAIN/pivotx/index.php?page=login [ show trace + ]


thanks for help
User avatar
jodel
 
Posts: 21
Joined: Thu Mar 25, 2010 8:29 am

Re: security issues

Postby hansfn » Thu Mar 25, 2010 10:47 am

I'll look carefully at what skipfish have found later today - I'll run the tool myself, but I can already now tell you that most on the list is false positives. (The "PUT request accepted" warning is silly since 1) ajaxhelper.php don't recognize PUT requests and 2) enabling/disabling of PUT request is a server issue. I haven't seen a server accepting PUT requests for ages.)

PS! Next time, please contact us directly in stead of telling the whole world about potential attacks before we have a fix ready.

PS2! If you are running version 2.0.0, please upgrade to 2.0.2 or 2.1.0 beta 4 - grab them from http://pivotx.net/files/
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: security issues

Postby jodel » Thu Mar 25, 2010 12:07 pm

thanks for the fast reply. Please tell me what skipfish found for you. I also had these issues when I ran it the first time:
Integer overflow vector (87)
Format string vector (16)
SQL injection vector (16)
Shell injection vector (30)
Server-side XML injection vector (14)

all errors pointed to one commentary page, so I deleted it and it was gone. I also disabled the RSS feed, I don't know if that was the XML issued, but it is gone as well.
User avatar
jodel
 
Posts: 21
Joined: Thu Mar 25, 2010 8:29 am

Re: security issues

Postby hansfn » Thu Mar 25, 2010 10:48 pm

OK, I have started to look at this and it is indeed mostly (all?) false positives. However, for reference I would like to know what dictionary you used, and the command line options you used.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: security issues

Postby jodel » Fri Mar 26, 2010 6:46 am

I did use the default wordlist and no special command options, only
Code: Select all
skipfish -o /dir/ http://example.org
User avatar
jodel
 
Posts: 21
Joined: Thu Mar 25, 2010 8:29 am

Re: security issues

Postby hansfn » Tue Mar 30, 2010 10:35 pm

I haven't had time to dig into every part of the results, but at least "PUT request accepted" is a confirmed false positive from the Skipfish author. I'll report back when I have checked the rest.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: security issues

Postby hansfn » Wed Apr 07, 2010 6:35 am

OK, I finally had time to look closely at a report I generated myself - it ran for 19 hours... There are so many false positives that the results are almost useless, but not completely - there were two obscure, but real, XSS issues. Those are fixed in PivotX Latest (as found in http://pivotx.net/files/unstable-development/) and will be part of the next release - PivotX 2.1.0 beta5 or 2.1.0 RC.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway


Return to 2.x Discussion

Who is online

Users browsing this forum: Bing [Bot] and 0 guests

cron