bigAPE-Backup Component File Inclusion Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

User avatar
smart
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Aug 18, 2005 1:33 pm
Location: Sebastopol
Contact:

bigAPE-Backup Component File Inclusion Vulnerability

Postby smart » Mon Aug 21, 2006 11:04 am

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: bigAPE-Backup 1.x (component for Mambo)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
mdx has discovered a vulnerability within bigAPE-Backup, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_babackup/classes/Tar.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability has been confirmed in version 1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Read more: http://secunia.com/advisories/21574/
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team

rswennen
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Dec 04, 2005 9:02 am

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby rswennen » Fri Sep 01, 2006 11:35 am

smart wrote:
Solution:
Edit the source code to ensure that input is properly verified.



Hi does anybody know what code parts need to be edited ?

shumisha
Joomla! Guru
Joomla! Guru
Posts: 508
Joined: Sat Aug 20, 2005 3:15 pm
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby shumisha » Fri Sep 01, 2006 12:38 pm

This usage of mosConfig_absolute_path could be prevented by adding :

Code: Select all

/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

at the very top of each file. There are several of them not having this, and they should!

Confirmation from core or experienced developer is needed here though!

[EDIT] after checking more, only Tar.php needs this fix. Other files missing it do not require as they are only libraries and do not have directly executable code in them
Last edited by shumisha on Sat Sep 02, 2006 12:48 pm, edited 1 time in total.
See all about sh404sef and Josetta at https://weeblr.com
I don't reply to PM anymore. Thanks for using sh404SEF

User avatar
bigAPE
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sat Mar 25, 2006 8:20 am
Location: Cornwall, UK
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby bigAPE » Mon Sep 04, 2006 3:35 pm

I have patched and attached the Tar.php file, it was obtained from a PHP resource (thought it was PEAR, but might be wrong). I'm not currently ready to release a new version of the bigAPE Backup as we are working on a v1.6 which will be released in the near future

Hope this resolves the issue
You do not have the required permissions to view the files attached to this post.
bigAPE Development Ltd | www.bigape.co.uk

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby cmyksteve » Sun Sep 10, 2006 1:07 am

Thanks bigAPE for a very usefull component. I unistalled this and others on the security risk list. Hopefully bigAPE-Backup gets the "Fixed" flag flying soon on the list- I'm ready to get away from my cPanel backups and re-install your patched component.
Steve

User avatar
bigAPE
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sat Mar 25, 2006 8:20 am
Location: Cornwall, UK
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby bigAPE » Sun Sep 10, 2006 5:26 am

cmyksteve wrote:Thanks bigAPE for a very usefull component. I unistalled this and others on the security risk list. Hopefully bigAPE-Backup gets the "Fixed" flag flying soon on the list- I'm ready to get away from my cPanel backups and re-install your patched component.


Your very welcome. We are only sorry that our commercial projects have kept us away from our GPL CMS Components. We do have a new version almost ready to go. It includes much better Database Backup code and the ability to migrate content articles between Mambo/Joomla sites. It needs a further round of testing and updated documentation, but I feel we are close to releasing it for Beta.
Last edited by bigAPE on Sun Sep 10, 2006 5:28 am, edited 1 time in total.
bigAPE Development Ltd | www.bigape.co.uk

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby cmyksteve » Thu Sep 14, 2006 5:48 pm

Could someone from the Security Team please give us the thumbs up or down on the patch bigAPE has supplied for his backup component. As of 9.24.06, it's still number 6 on the RobS hit list  ;)
http://forum.joomla.org/index.php/topic,79477.0.html.
Last edited by cmyksteve on Mon Sep 25, 2006 3:51 am, edited 1 time in total.
Steve

User avatar
Lenn-art
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 215
Joined: Tue Dec 06, 2005 1:06 pm
Location: Woerden, NL
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby Lenn-art » Mon Sep 18, 2006 10:50 am

bigAPE wrote:
cmyksteve wrote:Thanks bigAPE for a very usefull component. I unistalled this and others on the security risk list. Hopefully bigAPE-Backup gets the "Fixed" flag flying soon on the list- I'm ready to get away from my cPanel backups and re-install your patched component.


Your very welcome. We are only sorry that our commercial projects have kept us away from our GPL CMS Components. We do have a new version almost ready to go. It includes much better Database Backup code and the ability to migrate content articles between Mambo/Joomla sites. It needs a further round of testing and updated documentation, but I feel we are close to releasing it for Beta.


Can you give us some kind of timeline (not that we will keep you at this timeline :) - but only for the idea).

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby cmyksteve » Sun Sep 24, 2006 2:39 am

Has anybody re-installed the bigAPE backup component since the security patch was released? Any security issues with it?
Steve

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby cmyksteve » Thu Oct 05, 2006 9:49 pm

Has anyone from the security team taken a look at the patch that bigAPE provided in this thread a few messages back?
I see a new vulnerability list has been posted in the forum and the bigAPE backup compenent is still listed but my guess is that his patch has been overlooked. I've gotten no replies from the PMs sent to smart or RobS concerning this component.
Steve

User avatar
ccondrup
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 219
Joined: Tue Aug 23, 2005 9:54 am
Location: Oslo

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby ccondrup » Wed Oct 18, 2006 6:52 am

Be sure to not leave generated archives (backups) on the server, read more here: http://dev.joomla.org/component/option, ... ,33/p,198/
Did you know there's a Joomla irc channel? Chat to Joomla people live 24/7 - Join #joomla on the Freenode network ( irc.freenode.net )

shumisha
Joomla! Guru
Joomla! Guru
Posts: 508
Joined: Sat Aug 20, 2005 3:15 pm
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby shumisha » Wed Oct 18, 2006 7:02 am

I have also PM Robs on this several weeks ago, with no response. Just wondering whether they think the patch is not enough!

[EDIT] I have just PMed Ron Liskey about this
Last edited by shumisha on Wed Oct 18, 2006 7:10 am, edited 1 time in total.
See all about sh404sef and Josetta at https://weeblr.com
I don't reply to PM anymore. Thanks for using sh404SEF

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby rliskey » Fri Oct 20, 2006 4:21 pm

The vulnerabilities list is updated with a link back to this topic.

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby cmyksteve » Fri Oct 20, 2006 4:47 pm

Thanks rliskey-

...for approving the security patch to the bigAPE Backup component. It's a great Joomla backup solution especially for those just learning about site maintenance.
Steve

ggouweloos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 217
Joined: Tue Sep 06, 2005 8:13 am

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby ggouweloos » Tue Dec 26, 2006 12:49 pm

The classes\PEAR.php file does not contain the lines

Code: Select all

/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );


Is this safe?

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby rliskey » Mon Jan 08, 2007 5:37 am

Thanks rliskey-

...for approving the security patch to the bigAPE Backup component.


Please note that we CANNOT "approve" third party code. We are only collecting and passing on information as it is reported to us. Each site administrator is still responsible for deciding if third party code meets their particular site security requirements.

User avatar
bigAPE
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sat Mar 25, 2006 8:20 am
Location: Cornwall, UK
Contact:

Re: bigAPE-Backup Component File Inclusion Vulnerability

Postby bigAPE » Mon Jan 29, 2007 5:48 pm

Thanks for all your comments guys, we have been swamped with work over the last two years and we are currently emigrating out to Melbourne, Australia. Our workload will relax within the next few weeks and we will have much more time to put into Joomla. Fear not, we have not forgotten you.

Al
bigAPE Development Ltd | www.bigape.co.uk


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 0 guests