Home > Notify Lists > View Past Messages > Message 0997935185


From: "FDSE Update Notification" <notify@nickname.net>
From: "Update Notification" <notify@nickname.net>
X-Abuse-To: abuse@nickname.net
Subject: Genesis Web Authoring System security update

Hello,

A person told me about a security hole in Genesis today.  The hole can be patched by a single settings change, or by downloading the latest version.


Description:

    A weakness in the Genesis algorithm for delegating CGI privileges may
    allow a Genesis user without the "Allow CGI" privilege to author CGI
    files.


Systems Affected:

    Any server running Genesis in which Genesis user accounts have been
    created without the "Allow CGI" privilege.

    All previous versions of Genesis have this weakness, even the 2.0
    release from 1997.

    This weakness can only be exploited by a person who already has a
    Genesis account.  Outside visitors cannot exploit this.

    The danger would mostly come from people who have been given some
    authoring rights, but who cannot be trusted with full access.  A web site
    that gives free non-CGI accounts to the public would be threatened by
    this.


Background:

    When a file is requested from the web server, the web server can either
    return the file directly (as with .jpg or .html files), or pass the file
    through an interpreter (as with .pl or .php files).  The web server
    decides whether to use an interpreter based on the file extension.  Files
    that are passed through an interpreter can contain arbitrary commands,
    and so, as a precaution, Genesis allows a user to edit these interpreted
    files only when that user has the "Allow CGI" privilege.

    The problem is that the Genesis list of interpreted file extensions may
    be less comprehensive than the web server's list.  In particular, the php3
    extension is not listed in the Genesis "CGI Types" System Setting, but on
    many Apache web servers, any file with the php3 extension will be
    processed by the php interpreter.  That interpreter provides read/write
    access to much of the file system, beyond what Genesis may have delegated
    to the user.

    In reflecting on this problem, it seems that it is not possible for
    Genesis to know about all possible file extensions that may be
    interpreted by various web server configurations.  Thus, from now on, the
    approach will be for administrators to make an explicit list of known
    non-CGI extensions, and a list of known CGI extensions.  Users will be
    able to modify *only* files with those extensions.  The previous behavior
    was to allow non-CGI users the right to edit any file *except* those
    explicitly listed as CGI types.


Solution:

Patching this hole is a three-step process.

1.  Log in to Genesis, go to "Main Page" and then "System Settings".  Find
    the "Allow Only Known Types" setting and set it to 1.  Or, upgrade to
    Genesis version 2.1.0.0014 (in which this setting is internally hardcoded
    to "1")

2.  Review the "Known Types" System Setting and confirm that none of the file
    extensions listed there are being interpreted.  The default Known Types
    list contains only extensions that are *usually* not interpreted; there
    is no way for Genesis to actually guarantee that they are safe.  Some web
    servers might process .html files through the SSI parser, for example, or
    allow .js files to execute on the server side.

3.  Review your user's existing files.  If the user doesn't have the "Allow
    CGI" privilege, but does have suspicious files like .php3, then you
    should rename those files to safe extensions.  The Genesis change in step
    1 will prevent further authoring by that user, but won't remove the files
    themselves; you have to do that.  If the user has files with safe but
    non-standard file extensions, then you will have to add those extensions
    to the "Known Types" System Setting.

If you would like more information, please contact me at zoltanm@xav.com or
(360) 944-8387.

Download and information available at:
    http://www.xav.com/scripts/genesis/

Regards,
Zoltan Milosevic

--

To stop receiving email, visit:
    http://www.xav.com/notify/?s=genesis&remove=notify@nickname.net