[dokuwiki] State of the bugtracker
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
- Date: Sun, 23 Aug 2009 20:38:42 +0200
[long mail ahead - for PHP coders only]
Hi,
as you know, the bug tracker is currently disabled for security
reasons. I like Flyspray way better than any other bug tracker I know
of and personally would love to continue using it.
Unfortunately nobody could clearly locate the problem, yet. I know
that there are quite a few good PHP coders here, so I'm asking you to
help out by doing a code audit of Flyspray.
Let me start with what I know...
On Friday I was informed by the project lead of ArchLinux that someone
had broken into their server exploiting some unknown problem in
Flyspray. He knew we're running Flyspray as well, so he let me know
before we could be hit as well.
Unfortunately very few traces were left behind by the attacker.
The attacker was able to place files on the server and execute them.
The ArchLinux guys became aware of it because there was a notification
sent out for a new task named
FS#15997: <{${eval($_REQUEST[xxx])}{exit}}>
This seems to be an attempt to inject malicious PHP code through
Flyspray's templating system. If it would have worked, the script
should have stopped before sending the notification (because of the
exit call), so we assume the task name above is actually a failed
attempt, shortly before the successful breach. I also tried to create
a tasks like that, which works but isn't executed or anything -
exactly as one should expect.
Based on this initial int, I had a very deep look at how Flyspray's
template parser works. There is an eval at the very end that looks
very scary but in fact seems not to be a problem at all. At least I
couldn't find any way to exploit that.
The parser simply splits a template into several chunks (in PHP code
blocks and text blocks). In the text blocks all template syntax is
replaced by equivalent PHP codes (echos and some escaping basically).
No value replacement is done inside the parser, so I see no way how
user input can leak out of variables and be parsed (but that would be
needed to make the above mentioned task subject be dangerous).
It might be that I overlooked something in the template parser, but it
could also be that the breach happens in some completely different
place.
From the ArchLinux access logs we assume that the breach happens with
an authenticated user (there is a call to login first), somewhen
during the newtask action.
I talked to the ArchLinux server admin and one of the Flyspray
developers. So far we have no idea where the problem is. I also looked
for any 0day exploits at the usual places on the net but didn't see
anything mentioned.
So we know there is a problem in Flyspray, but we don't know where. If
you want to help the Flyspray devs, the ArchLinux guys (who are
looking for alternatives without luck so far) and last but not least,
the DokuWiki community: please have a look at the Flyspray code
(Release 0.9.9.6) and try to break it.
Hopefully we can solve this together.
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
