Composr uses SVG for rendering out stats graphs. When stats are viewed in the Admin Zone, Composr will generate the .xml files onto disk, and then embed those files. However, the URLs to the files are predictable and not access-protected.

This is a low risk vulnerability. While illicit access to stats graphs is not acceptable, there are no wider known repercussions and similar data may be available via third-party tools anyway (such as Alexa).

Affects

All Composr (and ocPortal) versions are affected.
Apache servers are affected, but IIS servers are usually not.

Available resolutions

Upgrade Composr

Version 10.0.29 has been released and fixes the security hole.

Workaround

Step 1)

Apache users may add the following code to their main .htaccess file:

This requires the Apache mod_rewrite module being enabled, which probably is.

IIS users may upload the latest web.config from 10.0.29, which includes the equivalent code.

Step 2)

Both Apache and IIS users must upload adminzone/stats_graph.php and sources/stats.php from 10.0.29. These are new files, so nothing is being overwritten.

Checking for exploit attempts

Check your web server logs for unexpected access to URLs under data_custom/modules/admin_stats/.

Technical explanation

The developers didn't consider the case of malicious users manually accessing SVG graph URLs.

How the fix works

Version 10.0.29 will deny direct access to the .xml files, instead serving the data through an intermediary script which checks permissions.

The workaround will redirect any web requests to the .xml files to the intermediary script so that all the stats code does not need patching.

Lessons learned

A complete review of the web access permissions to directories has been undertaken.

Credit

This issue was found by the developers while performing a wider review around XSS via mime sniffing on .dat files.