Skip to content
This repository has been archived by the owner. It is now read-only.

CVE-2018-7251 | Info Disclosure due to public error logs #1247

Closed
pehelwan opened this issue Feb 19, 2018 · 15 comments
Closed

CVE-2018-7251 | Info Disclosure due to public error logs #1247

pehelwan opened this issue Feb 19, 2018 · 15 comments

Comments

@pehelwan
Copy link

@pehelwan pehelwan commented Feb 19, 2018

An issue was found in Anchor CMS leading to Info Disclosure.

@daviddarnes
Copy link
Member

@daviddarnes daviddarnes commented Feb 19, 2018

Thanks for spotting this! Would you be able to advise on a solution? Other than the user not turning on errors on live sites?

@pehelwan
Copy link
Author

@pehelwan pehelwan commented Feb 19, 2018

Yes , Its clear here that this file should in fact be not accessible to anyone but administrator so its a case of Improper Access Control rather , only admin should have access to it . Can you elaborate what do you mean by "Other than the user not turning on errors on live sites?"

Regards,

@daviddarnes
Copy link
Member

@daviddarnes daviddarnes commented Feb 19, 2018

@pehelwan I didn't realise this error log isn't your own, I thought it was your test. Surely you shouldn't be reporting that url publicly as you're only making the security issue worse?

My query was to whether you have a bug fix in mind for the security problem?

@pehelwan
Copy link
Author

@pehelwan pehelwan commented Feb 19, 2018

Temporary - Forbid access to errors.log until further fixture

Long Time - Fixing access controls to admin only in sensitive areas like error logs files

@attritionorg
Copy link

@attritionorg attritionorg commented Feb 19, 2018

This just got assigned CVE-2018-7251 and published.

@daviddarnes
Copy link
Member

@daviddarnes daviddarnes commented Feb 20, 2018

@pehelwan thank you for reporting this. I understand that it must be quite easy to get a hold of the error log, but I would prefer not to have it posted on an open source forum for people to easily locate and use on their site without their consent. I've redacted the url for now.

As for the bug we'll have to do some investigation, but I'm guessing the only way that error log got uploaded was that the user deployed the site with a development setting turned on? Would that be the case @CraigChilds94?

@pehelwan pehelwan changed the title Vulnerability CVE-2018-7521 | SECURITY ADVISORY ANCHORCMS BY ARIF KHAN Feb 20, 2018
@pehelwan pehelwan changed the title CVE-2018-7521 | SECURITY ADVISORY ANCHORCMS BY ARIF KHAN CVE-2018-7521 | SECURITY ADVISORY FOR ANCHORCMS| BY ARIF KHAN Feb 20, 2018
@pehelwan pehelwan changed the title CVE-2018-7521 | SECURITY ADVISORY FOR ANCHORCMS| BY ARIF KHAN CVE-2018-7521 | SECURITY ADVISORY FOR ANCHORCMS Feb 20, 2018
@pehelwan pehelwan changed the title CVE-2018-7521 | SECURITY ADVISORY FOR ANCHORCMS CVE-2018-7251 | SECURITY ADVISORY FOR ANCHORCMS Feb 20, 2018
@daviddarnes
Copy link
Member

@daviddarnes daviddarnes commented Feb 20, 2018

@pehelwan thanks for updating the issue title, will help with future referencing. Sorry but we don't have a place other than this GitHub repo to provide credit for bug reporting

@daviddarnes
Copy link
Member

@daviddarnes daviddarnes commented Feb 20, 2018

@pehelwan that is an interesting idea, but I would think it would be only for people who have contributed a fair amount of development to the project

@pehelwan pehelwan changed the title CVE-2018-7251 | SECURITY ADVISORY FOR ANCHORCMS CVE-2018-7251 | SECURITY ADVISORY FOR ANCHORCMS | Reported by Arif Khan Feb 20, 2018
pehelwan referenced this issue Feb 21, 2018
In response to CVE-2018-7251
pehelwan referenced this issue in pehelwan/anchor-cms Feb 21, 2018
Forbid access to errors.log
@CraigChilds94
Copy link
Member

@CraigChilds94 CraigChilds94 commented Feb 21, 2018

Fixed by #1248

@KennethWussmann
Copy link

@KennethWussmann KennethWussmann commented Feb 26, 2018

This is not going to fix it quite well. What about other webservers like nginx who ignore .htaccess?

@Radiergummi
Copy link
Member

@Radiergummi Radiergummi commented Feb 26, 2018

@KennethWussmann I will admit we should provide examples in the documentation, but someone who uses nginx probably also has their own (VPS) server. Reasonably, you can expect those people to be proficient enough to configure nginx on their own.
There are way too many web servers to provide examples and consideration for, but the typical audience of AnchorCMS is likely using shared hosting with Apache2 so that is always going to be top priority.

@KennethWussmann
Copy link

@KennethWussmann KennethWussmann commented Feb 26, 2018

@Radiergummi You should definitely provide this information in the installation process documentation, that you may punch holes in your system and loose your database.
Maybe there should also be the opportunity to log to a different file/directory outside of the default static served directory.

@pehelwan
Copy link
Author

@pehelwan pehelwan commented Feb 26, 2018

in the ngnix conf file add the following directive -
location ~ /anchorcms/errors.log {
deny all;
}

Hope this works !

@Radiergummi
Copy link
Member

@Radiergummi Radiergummi commented Feb 26, 2018

@KennethWussmann although not too obvious, the log file output directory can be changed by using a custom log reporter, refer to anchor/config/error.php in your installation. On L15, change the output path to a directory outside of your web root.

We are currently reviewing the logging functionality and in the middle of setting up CI including E2E/unit tests to prevent things like these from happening in the future. I hope you understand, however, that this is a project we work on in our spare time and some things might take a little to be properly implemented.

@KennethWussmann
Copy link

@KennethWussmann KennethWussmann commented Feb 26, 2018

@pehelwan nginx was just an example to show that this issue is not fixed with adding a .htaccess file.

@Radiergummi Well, letting the users messing about with your source code and deal with it again after updating doesn't seem to be a good solution either.

For sure it's a DevOps problem. There should just exist the opportunity for them to prepare their systems.

@pehelwan pehelwan changed the title CVE-2018-7251 | SECURITY ADVISORY FOR ANCHORCMS | Reported by Arif Khan CVE-2018-7251 | Info Disclosure due to public error logs Apr 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants