Elxis CMS Forum
Support => Security => Topic started by: CREATIVE Options on April 14, 2007, 13:03:00
-
Due to a security check at an Elxis installation I found a possible threat of script source code disclosure.
I hope the information I am attaching will help for the better protection of the FLV files in the next version of Elxis if the Elxis team find this issue important.
I looked up the problem in the sample.flv file, and here is the information.
Vulnerability description
--------------------------------------
It is possible to read the source code of this script by using script filename as a parameter. It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.
This vulnerability affects /images/videos/sample.flv.
The impact of this vulnerability
---------------------------------------
An attacker can gather sensitive information (database connection strings, application logic) by analyzing the source code ?
Attack details
------------------------------------------
The Cookie variable PHPSESSID=46146d433cbaff28da04d22398e838c0; elxis_lang has been set to sample.flv.
HTTP headers
---------------------------------------------
Request
GET /images/videos/sample.flv HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Cookie: PHPSESSID=46146d433cbaff28da04d22398e838c0;elxis_lang=sample.flv;cc306854ba46a50d3b920ddc39552c9a=485999da7c08bfc74bb5e7b5f8270e76;mosvisitor=1;elxis_alang=english;3ac5c2784a2efc15c9f8dc3f61046926=f169261ef1fb5cf22c8c5ab32da17930;__utma=177195445%2E1003549409%2E1176487663%2E1176487663%2E1176487663%2E1;%20path=%2F;%20expires=Fri%2C%2013%20Apr%202007%2018%3A37%3A02%20UTC;%20domain=acunetix%2Ecom;=111-222-1933email@address.com;__utmb=177195445;__utmc=177195445;__utmz=177195445%2E1176487623%2E1%2E1%2Eutmccn%3D%28direct%29%7Cutmcsr%3D%28direct%29%7Cutmcmd%3D%28none%29;%20%20expires=Sat%2C%2013%20Oct%202007%2006%3A07%3A02%20UTC
Connection: Close
Pragma: no-cacheResponse
HTTP/1.1 200 OK
Date: Fri, 13 Apr 2007 21:45:01 GMT
Server
Last-Modified: Fri, 08 Dec 2006 22:52:36 GMT
ETag: "3dc2c8-450ad-4579ecb4"
Accept-Ranges: bytes
Content-Length: 282797
Connection: close
Content-Type: text/plain
Response
-------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 13 Apr 2007 21:45:01 GMT
Server
Last-Modified: Fri, 08 Dec 2006 22:52:36 GMT
ETag: "3dc2c8-450ad-4579ecb4"
Accept-Ranges: bytes
Content-Length: 282797
Connection: close
Content-Type: text/plain
HTML Response
-----------------------------------------------------
All the flv code.
Take a look at the following file for the HTML response.
[old attachment deleted by admin]
-
I dont understand where is the security alert.
You downloaded an flv file (which is a video file) and give it the extenstion .txt. OK, so? You can do the same with any video, or image or any file. Where is the security alert? (Note: PHP, asp, jsp and all server-side programming languages files are get parsed from the web server so you always get html, not the source code). You moduified the cookie. So? You can modify, delete or set any cookie in any site. Cookies and stored in your browser not in the server. FLV player allows you to open only flv files.
Let's do the opposite now.
If you create a php file with an flv extension, the flv player will try to play it, but it wont play (the same can be done with a php file renamed to .mpeg and the windows media player). Flash is not a php parser. So? You just wrote a php file with an .flv extension which can not be executed from anywhere. Even from your local pc.
Tell me if I am wrong.
-
First of all, I didn’t download the FLV file and give the .txt extension, as I say the code inside the txt file was the HTML response! I gave the HTML response in the forum inside a txt file because I didn’t want to fill my post with hundreds of lines of code.
What I am saying, is that the flv files isn’t very secure (in my opinion) because if you edit your cookie (anyone who wants to harm you can do it) you can get the hex code of your flv file.
I am not saying that the Elxis is not secure, just that the FLV file is (in my opinion).
And something else, for every one who wants to feel secure. Keep an eye on the new releases of the server programs. It isn’t bad to send the administrator emails or give him calls, to get him to perform the necessary updates sooner. Sit on the administrator’s neck if you can :)
Elxis FAN.
-
Ok, Niko but it is not a bug or even a security alert. It is no good to upset users without really existing a problem. You can not execute code via an flv file. If you want to see your server's headers inside any file you can also play with your webserver mime types. Set apache to take flv files as php files and then apache will think that they are php file are try to parse them. But them wont be parsed due to thousands of fatal errors that will occure.
So, the FLV files and the flv player are totally safe for use.
-
datahell, I don't want to upset any user of Elxis, or even any user of FLV files.
I just post my opinion, and if you look at the subject of my main post I have a question mark (?), and not a exclamation mark (!).
And always all that I am posting it is ONLY my opinion.
By the way, thank you for your time to reply at my post.