2010/12/22 7:00:45
|
---|
|
The XSS Security Issue - How much of a risk is it in real terms?The security issue identified with version prior to 1.2.4 I have Googled and read about on several sites (http://seclists.org/bugtraq/2010/Dec/213 , http://www.htbridge.ch/advisory/xss_vulnerability_in_impresscms.html).
However, I'm still unclear as to how this exploit can be achieved? I gather admin user access is needed to do the attack. If anyone other than the site admin has gained admin rights, is it not fair to say your site is already hacked and they can do pretty much what they want? If so, why would they want to do this XSS attack? Or have I mis-understood? What I getting at is how necessary is the upgrade in real terms? I know the official guidance is to upgrade straight away, but how much of a risk is this in real terms? Can my site, sat out on the Internet with no users logged in, realistically be attacked using this technique if : a) Protector module installed b) A good long admin password is in use c) https used on all pages by default etc etc? (I only ask because something went wrong with my site last time, and a test on a beta site the other week from 1.2.2 to 1.2.3 reported a problem at the database update stage ) Ted |
2010/12/22 7:21:15
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?In this specific case it depends on the modules you're using. As soon as you have the IPF quicksearch feature on the frontend (available for anon-users as well) you will have an issue. Otherwise not.
|
2010/12/22 7:28:53
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?IPF quicksearch feature
What's that? I have the default search block on my site. Is that what you mean? Or do you mean the 'Quick Search' facility found in the Content module homepage? I assume it is this search field that can be exploited, which requires site admin access anyway. I don't use the content module at all. |
2010/12/22 11:29:53
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?The second thing tedsmith. Anyway, it's not only for the content module. It's also for system functions and other modules that rely on IPF and it's quicksearch functionallity.
|
2010/12/22 17:31:15
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?Quote:
You will see the quick search in: * Adsense administration * Autotasks administration * Blocks administration * Block positions administration * Custom tags administration * Mimetypes administration * Symlinks adminstration * User ranks administration |
2010/12/23 3:46:22
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?Quote:
i agree with that sentiment, requiring admin access is a hurdle to obtain the exploit, you shouldn't let that detract from the fact that it's possible. on the other hand though, if someone has gained admin access, you are correct, they can do a lot more damage than messing with XSS. nothing can be 100% secure when it's on a network, no matter what you do, someone will always find a way through. We as developers just have to make that job all the more difficult to achieve, and if we can do that through strict coding practices & improving methods of detection & prevention, then we can at least try to stay ahead or at least keep up with the game, so to speak. Quote:
realistically, not likely, they need admin, and protector module would prevent that, in my opinion though, we should always strive to have the core doing the protection! protector is & always should be a secondary preventative measure when the core isn't doing it's job properly, and it shouldn't be relied on to cover up unsecure coding methods in the core. on a 3rd note, this release also fixes an exploit in the image manager which CAN be exploited by anonymous users, opening up your site & potentially the server to malicious exploitation. that exploit was discovered internally by 1 of the Project members, and as such the exact exploit isn't in the public domain. therefore i would strongly suggest updating asap. there are no DB changes in this release, all you need to do is update the system module once you have copied over the files as far as i'm aware. the only DB change i think is to change the version number. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/12/23 3:52:26
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?Should the download block be updated to version 1.2.4 or you got to install 1.2.3 and patch it?
Also, the system => version checker is still reporting 1.2.3 as the latest version. How does that work, by the way? |
2010/12/23 3:57:06
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?did you update the system module?
|
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/12/23 7:51:59
|
---|
|
Re: The XSS Security Issue - How much of a risk is it in real terms?Quote:
All the download blocks have been updated - thanks! There is an xml file on the www site with the latest info in it - hadn't updated that, yet, but you should be good, now. |