Security
From Dokeos
Contents |
Security Patches
Dokeos 1.8
Dokeos 1.8.5
- A security issue has been detected in Dokeos 1.8.5 running under the MS-Windows operating system, any version, whereby a remote attacker can include a system file by abusing the incorrectly filtered "include" parameter.
Fixing this issue can be done by replacing line 770 of /user_portal.php by:
if (!empty ($_GET['include']) && preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include']))
More information to come... It is unlikely we will issue a proper patch other than just the user_portal.php file as it only affects Windows server and the change is a one-liner, and the next release of Dokeos might be out sooner than expected due to several minor bugs that are making Dokeos 1.8.5 slightly uncomfortable to use for the teacher in very specific conditions (edition of documents with external resources integrated through FCKeditor).
Dokeos 1.8.4 SP3 download
- A patch against the issues reported by Allegro.pl (and mentionned in FS#2312 but this page will only be public from the public disclosure of the reported bug, on the 20th of March), with possible vulnerabilities ranging from cross-site scripting to code execution, is available here.
The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first. This set of vulnerabilities is considered as moderate risk (it is difficult to craft an attack using these) but high possibility of damage. Their severity is inferior to the vulnerabilities fixed in SP1 and SP2 (see below).
No unified patch is available at this time.
This patch includes the changes from 1.8.4 made by SP1 and SP2, so you only have to apply this latest patch (SP3).
These issues have been fixed in the 1.8.5 version of Dokeos (to be published around early April 2008).
Dokeos 1.8.4 SP2 download
- A patch against the issues reported by Digital Security Research Group and mentionned in FS#2218 (possible SQL injection, possible XSS vulnerabilities) is available here.
The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first. This is an important set of vulnerabilities, but their severity is possibly inferior to the vulnerabilities fixed in SP1 (see below).
A unified patch (options -Naur) is also available here
This patch includes the changes from 1.8.4 made by SP1, so you only have to apply this latest patch (SP2).
These issues have been fixed in the 1.8.5 version of Dokeos (to be published around early April 2008).
Dokeos 1.8.4 SP1
- A patch against the issues mentionned in FS#2151 (remote PHP upload and execution) and FS#2152 (XSS hole) is available here (new version since 2007-12-30). The patch has to be unzipped in the root directory of Dokeos 1.8.4. It contains a "main" directory with only a few files which will overwrite the Dokeos 1.8.4 files and secure the system. You can check which files will be overwritten by unzipping in a temporary directory first.
Warning: This will *NOT* remove the PHP files that might already have been uploaded on your portal in the courses or temporary directories.
In general, you can consider any php file or .php.* file inside the courses/[course_code]/[subdirectory] directories, the archives/ directory,
the main/upload/users/ directory and the main/garbage/ directory as a *big* security threat. Exceptions apply to some index.php files located
in the courses subdirectories and which have been created by Dokeos. Typically, this includes courses/[course_code]/index.php and
courses/[course_code]/group/index.php. There might be more files than these created by Dokeos in earlier than 1.8 versions.
These files (not generated by Dokeos) should be removed as soon as possible, or a .htaccess file be put inside these directories
and all their subdirectories to prevent the execution of any php code.
The .htaccess file should contain at least this code or any code having similar effect:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .phps .bash
Options -ExecCGI
These issues have been fixed in the 1.8.5 version of Dokeos (to be published around early April 2008) but the php files already present on your system will need to be removed by you (we cannot do that automatically without risks due to us not knowing the architecture of your server).
Older versions
- The issue reported in FS#2151 (remote PHP upload and execution) can easily be fixed manually for older versions by editing main/inc/lib/fileUpload.lib.php (or claroline/inc/lib/fileUpload.lib.php) and replacing (in the php2phps() function) the $filename = ... line by:
$fileName = preg_replace('/\.(php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $fileName);
This will ensure that any .php. extension inside the file name will be replaced by a .phps extension and will prevent the PHP file from being executed.
Recent tests (2007-12-31) show that the zip patch seems to work with any 1.8 version. This means that you should be able to apply the same patch for all 1.8 versions based on the patch described above in [#Version 1.8.4]. We have only lightly tested it, and cannot take responsibility (as the usual GPL license says) about any problem caused by this procedure.
Necessary Security Weaknesses
Dokeos has some arguable weaknesses that are necessary to the execution of some extreme-case features (like Oogie for example). This is a list of PHP functions that might be disabled in your default PHP configuration but that need to be enabled for certain features of Dokeos to work. This list is taken out of the default disabled list on some Debian installations: show_source, shell_exec, system, popen, proc_open, proc_nice, ini_restore, passthru, dl. They can be found in the disable_functions directive in php.ini. We recommend sending the exceptions in the virtual host configuration of Dokeos, so that the rest of your PHP installations remain more secure.
- shell_exec (optional) : needed by the FCKEditor spellchecker extension to rely on local programs for spellchecking
- system (optional) : needed by the FCKEditor ImageManager extension to save images using the NetPBM local program
- popen : needed by the PHPMailer class when using the local sendmail program
- ini_restore (optional) : used by the FCKEditor FileManager extension to return php.ini settings to their initial value. Only used for track_errors and error_reporting though, so it should be safe unless it opens the door for an attack based on your error messages and your initial php.ini settings are not safe.
- passthru (optional) : needed by the FCKEditor ImageManager extension to convert images
- dl (optional) : needed by the PEAR package to load extensions. Should only be useful when all the needed extensions have not already been loaded.
Security Advice
Passwords
- use passwords that contain special characters like:
