Welcome to Geeklog Thursday, August 13 2020 @ 08:09 pm EDT

Geeklog Forums

Bug: security check should check if admin/install/install.php still exists


cweiske

Anonymous
The security check in the admin section should check if admin/install/install.php still exists.
It doesn't do it, and tells you everything is fine, although people could take over your installation with it.
 Quote

cweiske

Anonymous
To clarify:
When logging in the first time, I had a "system message" above the "command and control" icons with a link redirecting to admin/sectest.php. this page did not check if install.php exists.
 Quote

ironmax

Anonymous
Okay, it seems that the beta is missing some info in the lib-custom.php file for "Are you secure?" Here is the info that was left out of that file below. Also make a new block, call it Are you secure? under block name put "security_check Under type put PHP Block Then under PHP Block Options input "phpblock_getBent" Access Rights Select Root Then Copy the code below into lib-custom.php and save it off. Then check your new block.

PHP Formatted Code

/***
*
* Get Bent()
*
* Php function to tell you how if your site is grossly insecure
*
**/

function phpblock_getBent()
{
    global $_CONF, $_TABLES;

    $secure = true;

    $retval = '';

    $secure_msg = 'Could not find any gross insecurities in your site.  Do not take this ';
    $secure_msg .= 'as meaning your site is 100% secure, as no site ever is.  I can only ';
    $secure_msg .= 'check things that should be blatantly obvious.';

    $insecure_msg = '';

    // we don't have the path to the admin directory, so try to figure it out
    // from $_CONF['site_admin_url']
    $adminurl = $_CONF['site_admin_url'];
    if (strrpos ($adminurl, '/') == strlen ($adminurl)) {
        $adminurl = substr ($adminurl, 0, -1);
    }
    $pos = strrpos ($adminurl, '/');
    if ($pos === false) {
        // only guessing ...
        $installdir = $_CONF['path_html'] . 'admin/install';
    } else {
        $installdir = $_CONF['path_html'] . substr ($adminurl, $pos + 1)
                    . '/install';
    }

    if (is_dir ($installdir)) {
        $insecure_msg .= '<p>You should really remove the install directory <b>' . $installdir .'</b> once you have your site up and running without any errors.';
        $insecure_msg .= ' Keeping it around would allow malicious users the ability to destroy your current install, take over your site, or retrieve sensitive information.';

        $secure = false;
    }

    // check to see if any account still has 'password' as its password.
    $count = DB_query("select count(*) as count from {$_TABLES['users']} where passwd='" . md5('password') . "'");
    $A = DB_fetchArray($count);
    if ( $A['count'] > 0 ) {
        $secure = false;
        $insecure_msg .= '<p>You still have not changed the default password from "password" on ' . $A['count'] . ' account(s). ';
        $insecure_msg .= 'This will allow people to do serious harm to your site!';
    }

    if ($secure) {
        $retval = $secure_msg;
    } else {
        $retval = $insecure_msg;
    }
    $retval = wordwrap($retval,20,' ',1);

    return $retval;
}
 

 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
The functionality of the getBent block has been moved to the new script, admin/sectest.php. But, as cweiske pointed out, it's not working correctly. So thanks for the report!

This only affects the 1.4.1 betas, though. All older versions - up to and including 1.4.0sr5-1 - use the getBent block and it's working correctly there.

bye, Dirk
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
Quote by: Dirk

The functionality of the getBent block has been moved to the new script, admin/sectest.php. But, as cweiske pointed out, it's not working correctly. So thanks for the report!

This only affects the 1.4.1 betas, though. All older versions - up to and including 1.4.0sr5-1 - use the getBent block and it's working correctly there.



I downloaded version 1.4.1 from this site on January 31, 2007. I upgraded my 1.3.11 site to this version yesterday.

Currently I still get directed to the sectest.php script whenever navigating to the admin panel. It says:
PHP Formatted Code
1. Good! You seem to have removed the install directory already.
2. You still have not changed the default password from "password" on 3 account(s).

Do Dirk's comments from this thread mean that I should ignore this because the script is still functioning improperly? I ran the SQL query that the script uses directly from a phpmyadmin session and the results are that there are no accounts with the default password of 'password'

Thanks,
Lou
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
The sectest.php script is working as expected in 1.4.1 final.

How did you check the passwords? They are md5 encrypted and not stored as plain text. The sectest script takes that into account, so if it reports 3 accounts using "password" as their password, that's almost certainly true.

bye, Dirk
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
Disclaimer on my SQL skills.....

Using phpmyadmin, I went to the gl_users table and did the same query
PHP Formatted Code
SELECT * FROM `gl_users` WHERE passwd=" . md5 ('password')"
that query- to my sql knowledge - seemed to be basically the same as what the sectest.php file executes. The query reports a result of zero rows.

Assuming my sql knowledge is flawed, which is most likely the case, how can I find out which of the 500+ users have their password set to password? And how can I change it or enforce a normal user to not use 'password'

All of the users and password in my control are not set to 'password'.

Also, thanks for your prompt response.

Lou
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Leave out the double quotes (but not the single quotes):
PHP Formatted Code
select uid,username from gl_users where passwd=md5('password');

That will give you the uid and username of all the accounts in question.

Geeklog doesn't really do anything to enforce secure passwords. The security check was meant to check if the passwords on a fresh install have been changed - it just happens to pick up the password from other accounts, too. Maybe we should clarify that in the message.

bye, Dirk
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
Thanks for the correct sql query code for me to use. I found the accounts in question and took care of the 'password' passwords. All were accounts which had not been logged in from in several years.

Perhaps the next iteration of sectest.php can add a display output which lists the accounts in question for the site admin to resolve.

Now the sectest passes, and navigating to the admin panel goes as expected.

Now - onto my other problems I've encountered since the upgrade! No thanks to the Smooth_Blue theme which really does not appear to be ready for 1.4.1 despite it saying so. Oh well, it keeps my brain active at least!

Thanks for you help on this issue Dirk.

Lou
 Quote

empirical

Anonymous
I had this problem too...without this solution I would've been lost. Thanks for posting it.

I would recommend fixing this in the next version of the site; the security message that is rendered from the Admin Panel is very confusing.

 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: empirical

I would recommend fixing this in the next version of the site; the security message that is rendered from the Admin Panel is very confusing.


FYI: This has been fixed / clarified in CVS, both in the trunk and in the branch for a possible 1.4.1-1 release.

bye, Dirk
 Quote

All times are EDT. The time is now 08:09 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content