Author Topic: Signup2 Fix  (Read 1584 times)

Offline CodeALot

  • Posts: 407
  • Gender: Male
Signup2 Fix
« on: March 26, 2017, 09:24:29 PM »
Since I can't ask anything in the announcement group, it has to be here:

Is the SQL-problem-fix for signup2.php for ALL versions of WB?

Offline Hans

  • Posts: 912
  • Gender: Male
Re: Signup2 Fix
« Reply #1 on: March 26, 2017, 10:31:19 PM »
Yes it is, Cite:
Quote
That SQL Injection vulnerability is present in all WB Versions including 2.10.0.
It allows privilege escalation as well as a complete overtaking of the whole database and the server possibly too.

WebsiteBaker 2.10.0:
*** We strongly recommend to exchange the file /wb/account/signup2.php as soon as possible. ***

Take care: All of the versions of WB are prone to attacks!! It is your own decision only to get a secure system!
You can get the new, fixed version of this file from our Repository or the download link below.

Downloads from any other sources are not official WebsiteBaker downloads and should be taken carefull. We can not promise a 'fault free' work for!

have fun with WebsiteBaker,

Manuela
Hans - Nijmegen - The Netherlands

Offline CodeALot

  • Posts: 407
  • Gender: Male
Re: Signup2 Fix
« Reply #2 on: March 26, 2017, 10:40:22 PM »
Hans,

In your quote it says:
 
Quote
That SQL Injection vulnerability is present in all WB Versions including 2.10.0.
It allows privilege escalation as well as a complete overtaking of the whole database and the server possibly too.

WebsiteBaker 2.10.0:
*** We strongly recommend to exchange the file /wb/account/signup2.php as soon as possible. ***

Which leads me to believe the fix is for 2.10.0 only...
 
Also: does the vulnerability also apply if you don't have a 'signup'-function ACTIVE in your WB installation?
 
Questions, questions... :)

Offline Ruud

  • Posts: 3647
  • Gender: Male
  • Do not use PM for help! Please use the forum!
    • Dev4Me - Professional WebsiteBaker Development
Re: Signup2 Fix
« Reply #3 on: March 26, 2017, 11:05:11 PM »
Looking at the code this fix might work for all versions from WB283-SP3 and up. (versions that are using the mysqli database functions)

If you do not use the signup functionality you should be safe. This code is included only when the frontend-signup functionality is enabled and cannot be called as a "stand-alone" script. You could also just remove the signup2.php file (just to be sure).

edit by Darkviper
« Last Edit: March 26, 2017, 11:39:13 PM by DarkViper »

Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 2986
  • Gender: Female
Re: Signup2 Fix
« Reply #4 on: March 26, 2017, 11:31:45 PM »
Which leads me to believe the fix is for 2.10.0 only...
 Also: does the vulnerability also apply if you don't have a 'signup'-function ACTIVE in your WB installation?
1.) The fix is made for 2.10.0 only. It is not recommended to use it in earlier Versions!
Why not for ALL 2.8.3 versions?
From SP to SP we had fixed lots of vulnerabilities. That's why I warned before the use of all versions less than 2.10. Fixing the last  vulnerability does not fix all other problems too. If I publish all file with the fixes since 2.8.3 ...  you have a 2.10 ;-)

2.) Even if 'signup' is not activated, the functionality still can be called by direct link. This is from the beginning already a problem on WB and all its Forks, that almost all functions are called by deep links and it is nearly impossible to completely secure each one individual. (failure by design)
 Remember: WB is Open Source. Anyone can get the WB code and explore it for back doors!

Manuela
« Last Edit: March 26, 2017, 11:40:33 PM by DarkViper »
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf ihnen Hirn vom Himmel !

Offline CodeALot

  • Posts: 407
  • Gender: Male
Re: Signup2 Fix
« Reply #5 on: March 27, 2017, 12:19:16 AM »
Thanks for the warnings and for helping us keep our WB's safe :)

Offline sky writer

  • Posts: 926
Re: Signup2 Fix
« Reply #6 on: March 27, 2017, 02:42:59 AM »
Thank you for the clarification Dark Viper, and for asking the question CodeALot.

Here is a situation I have encountered with a couple of clients.  I was contracted to built websites for them way back when WB 2.8.1 was new and they have managed their sites ever since.  As a courtesy I contact these clients with upgrade information (especially the latest security threats) and offer my advice and services to do the upgrades for them.  They have always decided not to hire me and remain on WB 2.8.1.  They are of the mind that the site works, so why put more money into it.  I can't force them to pay me to keep their installation safe.  I provide links to the threats and WB Forum follow up info, in hopes of educating them, but I have my doubts if they ever click the links.

My general question is, do any other designers/developers encounter this kind of scenario, and if so, how do you handle it?  Specifically, when they continue to hire you to do work on their outdated and un-secure site.  I have thought about saying "I will not do any further design/development work on the site until you upgrade to the latest WB version", but I fear they will just stop contacting me all together.

More specific to this topic, since these two sites do not use the frontend sign-up functionality, will this particular vulnerability be removed if I simply delete the signup2.php file, as suggested by Ruud?  I know that all the other security vulnerabilities (fixed in 2.10.0) will remain, but I might have luck getting these stingy clients to pay for me to do a really quick fix like this and make their site a small amount more secure.

Offline Boudi

  • Global Moderator
  • *****
  • Posts: 1190
  • Gender: Male
  • //o_-\\
    • Yze Webdesign
Re: Signup2 Fix
« Reply #7 on: March 27, 2017, 09:13:19 AM »
Quote
    Looking at the code this fix might work for all versions from WB283-SP3 and up. (versions that are using the mysqli database functions)

I had 2 hacks on a 2.83 sp1 and 1 hack on 2.82 Rev. 1506.

Quote
If you do not use the signup functionality you should be safe. This code is included only when the frontend-signup functionality is enabled


Is that so? On all 3 hacks this function was disabled. (or I have to disable things in the Admin then let me know).

It's good to know what I should do since I have hundreds of active WB sites online right now. Before making this week a patch-week please let me know what to do. Do I have to change this files on ALL domains?


Boudi

« Last Edit: March 27, 2017, 12:22:58 PM by jacobi22 »
...:: Bake the Unbakable ::...

Offline CodeALot

  • Posts: 407
  • Gender: Male
My general question is, do any other designers/developers encounter this kind of scenario, and if so, how do you handle it?  Specifically, when they continue to hire you to do work on their outdated and un-secure site.  I have thought about saying "I will not do any further design/development work on the site until you upgrade to the latest WB version", but I fear they will just stop contacting me all together.

My advice to you would be to inform them 'formally' that the CMS they're using requires a security update and that you can't be held responsible if something goes wrong after they choose not to let you do the update.

Offline jacobi22

  • Posts: 5598
  • Gender: Male
  • Support also via PM or EMail
    • Jacobi22
Re: Signup2 Fix
« Reply #9 on: March 27, 2017, 12:24:24 PM »
Quote
If you do not use the signup functionality you should be safe. This code is included only when the frontend-signup functionality is enabled


Is that so?

No, it isnt !!!

see
Quote from: Darkviper
Even if 'signup' is not activated, the functionality still can be called by direct link.
Probleme sind da, um sie zu lösen, nicht, um nach Ausreden zu suchen.

Online hgs

  • Betatester
  • **
  • Posts: 1014
    • EFG MG
Re: Signup2 Fix
« Reply #10 on: March 27, 2017, 12:28:19 PM »
LG Harald

"Fange nie an, aufzuhören - höre nie auf, anzufangen." Marcus Tullius Cicero (106-43 v.Chr.)

Offline CodeALot

  • Posts: 407
  • Gender: Male
Re: Signup2 Fix
« Reply #11 on: March 27, 2017, 12:43:39 PM »
and read this
http://forum.WebsiteBaker.org/index.php/topic,30187.0.html

Yes. We know. That's why this topic was made. Thanks anyway.

Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 2986
  • Gender: Female
Re: Signup2 Fix
« Reply #12 on: March 27, 2017, 01:19:10 PM »
@Boudi

Last night i committed a second file (/account/signup.php) which does no longer allow to use signup if 'FRONTEND_SIGNUP' is disabled.
I updated the Post: Warning: SQL Injection vulnerability to publish this additional fix, as well as (/account/signup2.php) again.

So newer versions (2.8.3-SP6 to 2.10.0) should be secure with these both patched files..
Older versions..   :| ...  I just checked back to 2.8.1. It makes use of the old, sometimes a bit strange and confusing "add_slashes()/strip_slashes()" style. But signup should be nearly ok.
Note: Old versions before 2.8.3, according to today's knowledge, have incredibly many security gaps, which are largely 'very critical'.

Summary: from 2.8.3-SP6 and up it's easy to patch:  login -> upload these both files -> logout... finish.
Versions before... ok, you can try to fix this one hole. But a hundred other holes still remain open.  :|

About more 'short fixes' I don't know yet...   
Manuela
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf ihnen Hirn vom Himmel !

Offline Hans

  • Posts: 912
  • Gender: Male
Re: Signup2 Fix
« Reply #13 on: March 28, 2017, 11:02:32 PM »
Thanks fot making things clear and thanks the other bakers for giving a reason to do that.
Excuse me me for not giving the correct interpretation.
Hans - Nijmegen - The Netherlands

Offline moboter

  • Posts: 24
Re: Signup2 Fix
« Reply #14 on: June 30, 2017, 02:54:06 PM »
Hello Team

The security announcement states that 2 files need to be replaced signup.php and signup2.php However the links provided in the anouncement dont work.
Currently Version 2.10.0 is installed How can I check if I need to change anything and from where can I download the files.

Regards
GErhard

Offline jacobi22

  • Posts: 5598
  • Gender: Male
  • Support also via PM or EMail
    • Jacobi22
Re: Signup2 Fix
« Reply #15 on: June 30, 2017, 03:09:38 PM »
Quote
Currently Version 2.10.0 is installed How can I check if I need to change anything
the actual download package has the latest version of this files, no further action needed


separate Download of this fix: see attachement

unpack the ZIP and overwrite both files in /account


Admin Edit: remove attachement, no longer needed and make's trouble in the next versions, if somebody overwrite newer files
« Last Edit: September 15, 2017, 12:05:50 AM by jacobi22 »
Probleme sind da, um sie zu lösen, nicht, um nach Ausreden zu suchen.

Offline moboter

  • Posts: 24
Re: Signup2 Fix
« Reply #16 on: June 30, 2017, 03:43:03 PM »
Vielen Dank