Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 17:58:41

Author Topic: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001  (Read 31875 times)

0 Members and 1 Guest are viewing this topic.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
At this moment, many report related to Kloxo Official security issue. Read http://www.webhostingtalk.com/showthread.php?t=1344003 about it.

Fortunely, Kloxo-MR no affect for this issue.

But, another security issue (code from Kloxo Official) still exist in Kloxo-MR.

Fixing for this issue are:
1. Add sanity '../' in filemanager
2. Cron task only enable for 'admin'

Please update Kloxo-MR to 2014013001. Update is very importance for Kloxo-MR as share-hosting (many clients inside).
« Last Edit: 2014-04-29, 14:18:28 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #1 on: 2014-01-30, 09:59:59 »
They found more exploits.  What to do about hardlink protection?

This is all very big problem.

cron is not able to be used by clients?  I thought we could run cron under their username?
« Last Edit: 2014-01-30, 10:01:59 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline bluearrow

  • Junior Member
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #2 on: 2014-01-30, 10:02:57 »
Can't we update Kloxo_MR from Update Home because 2 of my VPS shows

Current Version:   6.5.0.f-2014011001
Latest Version:   6.5.0.f-2014011001

and

Current Version:   6.5.0.f-2013102801
Latest Version:   6.5.0.f-2013102801


and There's no update button ..

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #3 on: 2014-01-30, 10:05:22 »
Use SSH:
yum clean all;yum update;sh /script/cleanup
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #4 on: 2014-01-30, 10:11:39 »
They found more exploits.  What to do about hardlink protection?

This is all very big problem.

cron is not able to be used by clients?  I thought we could run cron under their username?

Hardlinks only affect if client able access to ssh and with this capability they can create php file inside /usr/local/lxcenter/kloxo/httpdocs. Without this capability, client able to running php and or perl via browser and or command-line.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #5 on: 2014-01-30, 10:38:21 »
Quote
<php
symlink('/etc', '/home/user/etc');
?>
No ssh needed

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #6 on: 2014-01-30, 10:39:47 »
How to disable file manager?

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #7 on: 2014-01-30, 10:56:29 »
Yes, tested and confirmed filemanager is MAJOR exploit.  It runs as root!

Mustafa, follow steps to create a disaster!

Login panel as a client (test).  Filemanager, create new file.
exploit.php
Code: [Select]
<php
symlink('/etc', '/home/test/etc');
?>

Execute script in browser.  domain.com/exploit.php

KloxoMR filemanager, under test client/user 'etc' directory appears, click it takes me to real /etc/ directory.  Using filemanager I can now edit/delete ANY file in /etc directory.

NO SSH required.  This can be recreated with any file or directory!  THIS IS A MAJOR DISASTER WAITING TO HAPPEN!

Mustafa, all efforts must be made NOW to make filemanager run as client/user logged into KloxoMR NOT ROOT, this is a must!
« Last Edit: 2014-01-30, 11:09:19 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #8 on: 2014-01-30, 11:10:00 »
Quick fix, how to disable filemanager, for now i stopped kloxo...

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #9 on: 2014-01-30, 11:12:30 »
i guess that php commands can be desabled, ln and symlink.

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #10 on: 2014-01-30, 11:22:56 »
Then you just use a perl script, or a Ruby app.  The problem is two fold.  Number one, we need to get filemanager to run as user/client.  Second, if not admin, DO NOT DISPLAY symbolic/hardlink directories.  No reason for a normal client to hardlink a directory.

Suggestion, for now, in filemanager disable showing ANY symbolic/hardlinks unless admin

Mustafa, please work on this without delay, we are all vulnerable! !!!
« Last Edit: 2014-01-30, 11:25:55 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #11 on: 2014-01-30, 11:26:06 »
@chrisf,

Are you sure about it?.

Let say, I have /home/admin/domain.com and then from filemanager I create exploit.php.

If I run 'http://domain.com/exploit.php' and then inside /home/admin already exist /etc symlink?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #12 on: 2014-01-30, 11:30:55 »
I found error when running 'http://domain.com/exploit.php':
Code: [Select]
Warning: symlink() [function.symlink]: open_basedir restriction in effect. File(/etc) is not within the allowed path(s):
(/home/admin/:/tmp/:/usr/share/pear/:/var/lib/php/session/:/home/kloxo/httpd/script/:/home/kloxo/httpd/disable/)
in /home/admin/next.potissima.com/exploit.php on line 6

with modified exploit.php:
Code: [Select]
<?php

error_reporting
(E_ALL);
ini_set('display_errors'1);

symlink('/etc''/home/admin/etc');

?>
« Last Edit: 2014-01-30, 11:32:44 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #13 on: 2014-01-30, 11:42:39 »
Yes, I too found that error, I had originally ran it from command-line and the php-fpm openbase dir was not in effect.  But, try this.

Filemanager, cgi-bin, create new file
exploit.pl
Code: [Select]
#!/usr/bin/perl -w

symlink("/etc", "/home/admin/etc");

Execute from browser,  follow above steps, exploit is realized.

And not so sure it is easy to not display hardlinks, possibly symlimks...

MOST IMPORTANT, remove root from filemanager.

Also, trick for quick fix, only display files owned by that user/client.  ;)
« Last Edit: 2014-01-30, 11:45:46 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #14 on: 2014-01-30, 11:45:59 »
@chrisf.

Who's able to access ssh?. You and who?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.096 seconds with 21 queries.

web stats analysis