| From: "FDSE Update Notification" <notify@nickname.net> From: "Update Notification" <notify@nickname.net> X-Abuse-To: abuse@nickname.net Subject: Genesis Web Authoring System security update Hello, A person told me about a security hole in Genesis today. The hole can be patched by a single settings change, or by downloading the latest version. Description: A weakness in the Genesis algorithm for delegating CGI privileges may allow a Genesis user without the "Allow CGI" privilege to author CGI files. Systems Affected: Any server running Genesis in which Genesis user accounts have been created without the "Allow CGI" privilege. All previous versions of Genesis have this weakness, even the 2.0 release from 1997. This weakness can only be exploited by a person who already has a Genesis account. Outside visitors cannot exploit this. The danger would mostly come from people who have been given some authoring rights, but who cannot be trusted with full access. A web site that gives free non-CGI accounts to the public would be threatened by this. Background: When a file is requested from the web server, the web server can either return the file directly (as with .jpg or .html files), or pass the file through an interpreter (as with .pl or .php files). The web server decides whether to use an interpreter based on the file extension. Files that are passed through an interpreter can contain arbitrary commands, and so, as a precaution, Genesis allows a user to edit these interpreted files only when that user has the "Allow CGI" privilege. The problem is that the Genesis list of interpreted file extensions may be less comprehensive than the web server's list. In particular, the php3 extension is not listed in the Genesis "CGI Types" System Setting, but on many Apache web servers, any file with the php3 extension will be processed by the php interpreter. That interpreter provides read/write access to much of the file system, beyond what Genesis may have delegated to the user. In reflecting on this problem, it seems that it is not possible for Genesis to know about all possible file extensions that may be interpreted by various web server configurations. Thus, from now on, the approach will be for administrators to make an explicit list of known non-CGI extensions, and a list of known CGI extensions. Users will be able to modify *only* files with those extensions. The previous behavior was to allow non-CGI users the right to edit any file *except* those explicitly listed as CGI types. Solution: Patching this hole is a three-step process. 1. Log in to Genesis, go to "Main Page" and then "System Settings". Find the "Allow Only Known Types" setting and set it to 1. Or, upgrade to Genesis version 2.1.0.0014 (in which this setting is internally hardcoded to "1") 2. Review the "Known Types" System Setting and confirm that none of the file extensions listed there are being interpreted. The default Known Types list contains only extensions that are *usually* not interpreted; there is no way for Genesis to actually guarantee that they are safe. Some web servers might process .html files through the SSI parser, for example, or allow .js files to execute on the server side. 3. Review your user's existing files. If the user doesn't have the "Allow CGI" privilege, but does have suspicious files like .php3, then you should rename those files to safe extensions. The Genesis change in step 1 will prevent further authoring by that user, but won't remove the files themselves; you have to do that. If the user has files with safe but non-standard file extensions, then you will have to add those extensions to the "Known Types" System Setting. If you would like more information, please contact me at zoltanm@xav.com or (360) 944-8387. Download and information available at: http://www.xav.com/scripts/genesis/ Regards, Zoltan Milosevic -- To stop receiving email, visit: http://www.xav.com/notify/?s=genesis&remove=notify@nickname.net |