Alex Günsche · March 5, 2007
BILDblog.de veröffentlichte vor wenigen Tagen einen Artikel über das von Bild.T-Online betriebene Forum www.meinung-live.de, wo Links und andere Referenzen zu BILDblog.de systematisch zensiert werden.
Ich habe das zum Anlass genommen, mich mal auf diesem Portal umzuschauen. Die Hass- und Lügenmaschine “BILD” kann ich sowieso nicht leiden, und wenn dann noch systematische Zensur geübt wird, dann möchte man doch mal sehen, mit wem man es zu tun hat.
Nun bin ich weder ein pöser Pube, noch würde ich mich als Sicherheitspezialisten bezeichnen — aber mir sind doch schon nach kurzem Umsehen einige grobe Sicherheitslücken ins Auge gefallen, die für Benutzer und Betreiber des Portals fatal werden könnten. Das Forensystem nennt sich Forum 101 und ist von der norddeutschen Internetklitsche worldweb für schlappe 2800 Euro zu erwerben. Dieses Forensystem ist anfällig für mehrere Sicherheitslücken, vorwiegend Cross-Site-Scripting (XSS) in Hülle und Fülle sowie SQL-Injektion.
Für die nicht Fachkundigen: Clientseitiges Cross-Site-Scripting ist eine Angriffstechnik, bei der ein Bösewicht präparierte URLs mit JavaScript (eine vom Browser ausgeführten Programmiersprache) spickt, das dann auf dem Rechner des Opfers ausgeführt wird. Auf diese Weise kann man beispielsweise den Benutzerzugang des Opfers übernehmen. Das System Forum101 lässt XSS-Attacken in vielen Eingabefeldern und den dazugehörigen URL-Parametern zu, d.h. so ziemlich jede Seite des Forums ist für XSS-Attacken anfällig.
Doch damit nicht genug: Das Forensystem ist anfällig für SQL-Injektion. SQL-Injektion wird durch schlampige Programmierung möglich, wenn Benutzereingaben ohne Überprüfung als Parameter für einen Datenbankzugriff verwendet. Dadurch kann man unter Umständen in die Datenbank des Forensystems einbrechen und beliebige Daten lesen/ändern/löschen — beispielsweise Benutzernamen und -passwörter. (Kleiner Tipp an die Forum101-Entwickler: Man sollte LIMIT-Deklarationen nicht ungeprüft aus der URL entnehmen.)
Im Übrigen werden Angriffe gegen Benutzer noch dadurch vereinfacht, dass das Passwort anscheinend im Klartext in der Datenbank liegt, statt es mit einem Hash zu schützen. (Zu sehen ist das daran, dass man das ursprüngliche Passwort bei der “Passwort-Vergessen”-Funktion bekommt, und nicht ein neues.) Somit muss ein Angreifer die Passwörter für die Anmeldung mit einem fremden Zugang noch nicht mal ändern, d.h. ein Zugriff bliebe sogar weitestgehend unbemerkt.
Mit solchen gravierenden Schwachstellen wird das System Forum101 schnell zum “Room 101″ für alle Beteiligten. Um es nochmal zu verdeutlichen: Diese Erkenntnisse sind das Ergebnis einer müßigen Kaffeepause. Nicht auszudenken, was man bei genauerer Untersuchung dieses Gefrickels im Wert einer kompletten Büroausstattung noch so alles finden würde. Bleibt die Frage, warum sich Bild.T-Online für dieses Paket entschieden hat — wo es doch eine ältere Version von phpBB auch getan hätte. Vermutlich ist das hervorstechende Merkmal (oder “Unique Selling Point”, wie der PRler sagt) die ausgeklügelte Zensurfunktion.
Hinweis: Das unbefugte Ausspähen und Manipulieren von EDV-Daten ist — wie wir alle wissen — in Deutschland strafbar. Bei der oben dargestellten Recherche sind keine Daten unbefugt ausgespäht oder manipuliert worden. Dieser Artikel ist nicht als Aufruf zu Straftaten zu verstehen, sondern stellt einzig und allein eine kritische Betrachtung des Forensystems “Forum101″ dar.
6
Wissenswertes, Meinung
Alex Günsche · February 24, 2007
There is a new version of the AdvancedSearch plugin. It fixes some grave bugs with the WordPress 2.1 series:
- Paged searches now work with WP 2.1.x,
- Searching in static pages now also works again,
- A problem with search term highlighting and the o42_cleanumlauts plugin has been fixed (only relevant to German users),
Many thanks to everybody who supported the development with finding and fixing bugs; especially Ryan and Aza.
Furthermore, there is now a Czech translation of the plugin thanks to Martin Štěpán.
The plugin is as always available from its home page. Have fun with the new version and let me know how you like it. Also, please help out with translations, and report bugs as well as improvement ideas!
0
Software
Alex Günsche · January 23, 2007
Tonight, the long expected WordPress 2.1 was released. Unfortunately, the WP-Manage Upgrade module had some problem with the upgrade to 2.1. Therefore, there’s the new version 0.1-alpha2, which fixes the errors. In case you have tried to upgrade with the broken version, simply insert the new version (or only the file upgrade.php) and try again. We apologize for your inconvenience.
5
Software
Alex Günsche · January 20, 2007
WP-Manage is a management extension (not plugin) for WordPress, which will perform backups and upgrades each with a single click.
The Backup routine creates a MySQL dump of the WP tables, gathers all WP files and puts all this stuff into a nice zip file. The Upgrade routine downloads the latest WordPress, unpacks it, deletes the old files and inserts the new ones. All these actions don’t require funky PHP extensions — they are all handled by the WP-Manage package, together with some nice third-party-libs.
The backup and the upgrade routine are independent from each other, and it is to say that the upgrade feature might not be the right thing for every one. But e.g. if you installed WordPress for a friend or a customer with no knowledge of FTP, PHP and MySQL, you might find an ideal solution in this upgrade feature.
Documentation, screenshots and downloads are available at the WP-Manage homepage. Feedback is very apprechiated.
Update: There was an unfortunate error in the file upgrade.php: The latest WordPress was not downloaded from wordpress.org, but from zirona.com (this server). This is because I didn’t want to bomb wordpress.org with requests during the development. Unfortunately I forgot to replace the reference to my server with the original download source, so the WP-Manage version distributed until this evening (GMT) downloads from zirona.com. The error was corrected and the package was uploaded again. You can either download WP-Manage again or you change http://www.zirona.com/download/ to http://wordpress.org/ in upgrade.php l. 290. Sorry for the confusion and thanks to Fabrice Pascal for the hint.
0
Software
Alex Günsche · January 16, 2007
WordPress 2.0.7 has just been released. It fixes a security hole which allowed to read the WordPress database via the file wp-trackback.php. Although the threat depends on special circumstances and does not apply to all WordPress sites, it is highly recommended to update as soon as possible.
On a related note, there’s a new version of the Advanced Search plugin available. An error with category filtering on blogs with only one author reported by cj has been fixed in the new version. Also, there is now an Italian translation thanks to Andrea Barbieri.
The plugin is as always available from its home page. Have fun with the new version and let me know how you like it. Also, please help out with translations, and report bugs as well as improvement ideas!
Update: There was still another bug occuring on blogs with several authors of which only one actually has posts. The problem was fixed and the download for 0.5 was updated. Thanks to solemnchaos for the hint.
2
Software
Alex Günsche · January 15, 2007
There’s a new WordPress plugin developed by Zirona. It allows moving comments from one post (including pages) to another. It’s nothing special, it does what it says. You surely won’t need it often, but when you do, you will be glad it exists.
The plugin has an own homeplace and is looking forward to visitors, downloaders and feedbackers!
Update: There was a little mistake with a hardcoded URL, kindly discovered by Ingo. This error was fixed and the plugin uploaded again.
0
Software
Alex Günsche · January 12, 2007
The ServerSite project, which implemented a webserver with lots of additional features on a LiveCD, is discontinued.
The main reason for this is that I don’t have the time to manage the project in an appropriate manner. The intentions of ServerSite were to provide a stable and widely running LiveCD with very recent packages based on Gentoo Linux as well as providing special features such as saving settings and contents on a USB stick – and these intentions can not be satisfied with a too short time budget.
Whoever might be interested in the build scripts or other stuff created during the ServerSite development, is welcome to contact me.
0
Zirona-News, Software
Alex Günsche · January 10, 2007
There is an exploit for WordPress available which reveals the admin user and the hashed admin password. WordPress versions lower than 2.0.6 on servers with register_globals=On are vulnerable. (The exploit script suggests that 2.0.6 is also affected, but this couldn’t be reproduced so far.) Everybody is urged to update to 2.0.6 as soon as possible.
Wikipedia provides some background on SQL injection exploits.
0
Wissenswertes, Software
Alex Günsche · December 24, 2006
A new version of the Advanced Search is available. Prominent changes are:
- Search can now be limited to a user-defined period,
- Various improvements on the highlighting function; it should work pretty perfect now,
- Compatibility with the Polyglot plugin (thanks to Christian)
- Fixes and some revisioning for compatibility with WordPress 2.1 – yes, we’re ready for the 2.1 release!
The plugin is as always available from its home page. Have fun with the new version and let me know how you like it. Also, please help out with translations, and report bugs as well as improvement ideas!
0
Software
Alex Günsche · November 27, 2006
We are happy to announce the release of our next great WordPress plugin. It is called Subrosa and it is a snap-in for various WordPress contact forms to allow Public Key encryption of confidential messages. What this is and what the benefits are, is explained very well in a Wikipedia article.
The plugin is tested with the legacy WP Contact Form by Ryan Duff and with Contact Form ][ by Chip Cuccio. But others should work, too.
You can read more about the plugin on its description page, where you will also find the download.
To see a demonstration of the plugin, visit our contact form.
This plugin is based on the work of a couple of other authors. I want to especially thank Herbert Hanewinkel, who did not only do most of the JavaScript implementations of the cryptographic algorithms, but who also helped me with the development of this plugin. Not to forget that much of the frontend stuff is derived from his insightful online demo.
10
Software
