Hello,

Two security holes were recently discovered in current and previous versions of Composr CMS.

These issues have been fixed in the new version released today, 10.0.37. In this news post we will explain the issues and provide temporary mitigations for those who do not wish to immediately upgrade to 10.0.37.

Vulnerability 1: Upload and execution of PHP files

Bug:
Mass upload of media to a gallery allows .php files to slip through, and then they may be executed via URL.

Affects:

1. Composr v10+ sites.
2. Where also: Non-trusted users need to have the 'mass import' privilege assigned (not a default).
3. Where also: Sites have the galleries add-on installed.
4. Where also: Sites are running a webserver/configuration that our second line of security fails against. This means either:
   1. Not Apache
   2. Apache, but with .htaccess files disabled
   3. PHP8 as a module (so not CGI or FastCGI or FPM)
   4. Some other configuration we may not be aware of, in theory
   If you're not sure, try creating a simple PHP file uploads/galleries/example.php:
   

   Code

   <?php
echo '<span style="color: r' . 'ed">Vulnerable if red</span>';

   Call up https://yourbaseurl/uploads/galleries/example.php. If you get a red message, your system is vulnerable.

Reason for mistake:
Gallery mass-import does not follow usual upload logic, galleries just accept any files which Composr considers as images or 'videos'. However, in v10 'videos' became defined so broadly that literally any file qualified, without consideration that this would impact security filtering.
Additionally, our secondary line of defence (.htaccess files) was not updated for being able to disable PHP8's Apache module in the upload directories.

Fix in v10.0.37:
First line of defence:

1. Code has been reviewed and restructured so that the full file extension exclusion-list checks are performed for mass-upload scenarios, including zip/tar extraction.
2. Multiple-file-extension-checks (e.g. foo.php.example) have also been rolled into our standard security function, so this also is applied consistently. [Apache may execute such files, if PHP is poorly configured]. This has new unit testing to catch possible bugs.
3. The exclusion-list now also includes .phar files. Necessary now that this list has an increased role.

Second line of defence:

1. The .htaccess files will now block the PHP8 Apache module running from upload directories.
2. The .htaccess files will block access to any file extension matching the same exclusion-lists as the upload checks use.

New third line of defence:
1) Only media with a specific media renderer can now be used as a 'video'. In other words, just hyperlinking or displaying as code will no longer be considered.

Temporary mitigation:
Download the latest manual extractor installer and replace your cms/pages/modules/cms_galleries.php file.

Vulnerability 2: XSS in an XML script

Bug:
One particular AJAX script that produces XML may be manipulated to output executable arbitrary JavaScript code. An XSS vulnerability is one whereby a hacker crafts a vulnerable URL that they then trick a target user (such as the webmaster) to access, causing the code to run on their machine and potentially expose things such as login cookies.

Affects:
Almost all sites. Specifically, sites with the filedump (File/Media Library) or galleries add-on installed.

Reason for mistake:
There is a loophole for injecting JavaScript into pure-XML output that the developers were not aware of.

Fix in v10.0.37:
Direct resolution:

1. The specific XSS hole (coding error) is fixed.
2. The rest of the code is reviewed. There were similar issues in related code, which are fixed, but no other issues in unrelated code.

New secondary line of defence:
1) All XML outputs now use Content Security Policy to disable JavaScript execution, to close the loophole so an XSS cannot happen even if there is another Composr coding error.

Temporary mitigation:
Download the latest manual extractor installer and replace the following files from it (if they exist on your site):

• sources/sitemap_ajax.php
• sources/hooks/systems/ajax_tree/choose_filedump_file.php
• sources/hooks/systems/ajax_tree/choose_gallery.php
• sources/hooks/systems/ajax_tree/choose_image.php
• sources/hooks/systems/ajax_tree/choose_video.php

Credit

These issues were responsibly disclosed to us by BugsBD. We have great appreciation for groups and individuals who work with us like this.