DOS-Vulnerability through not_found.log

[mschop]

Hi,

I found a DOS-Vulnerability in litecart. If an attacker sends random URL's to LiteCart, those URLs (if unique) are saved to the file logs/note_found.log. Unfortunatly this file is fully loaded to RAM if a not existing URL is called.

By sending a large number of invalid request to litecart, the file size can be increased infinite. Then every call to litecart, that has an invalid url takes the full available memory and causes a lot of IO.

Recommendations
The entries should be logged to dababase. An upsert command can be used to create or update the entries in the db.

How can you protect your system, until a bugfix is published?
E.g. create a cron that empties the not_found.log file.

Best Regards
mschop

[rob-lindman]

can you provide details of the cron job?

[gabbo2]

Add logfile to logrotate..

[mschop]

Logrotate doesn't really help. That would only help, if you rotate e.g. every 10 Minutes. But rotating so often doesn't really make sense. I would just truncate the file through a cron every 10 Minutes.

echo "" > /pathtowebroot/logs/not_found.log

[timint]

I'm not sure how Apache does it in error_log and access_log. I've seen access logs that are in the size of GBytes.

How about only storing the last 500 rows or something like that? Or dumping the log over email once it reaches a certain size or amount?

[timint]

We can't rely of logrotate as everyone might not have access to use it on their machines.

Here is how to dump it when it reaches 500 rows.

In ~/index.php

Find

$lines = is_file($not_found_file) ? file($not_found_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) : array();
$lines[] = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$lines = array_unique($lines);

Repalce with

$lines = is_file($not_found_file) ? file($not_found_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) : array();

if (count($lines) >= 500) {
  $email = new email();
  $email->set_subject('[Not Found Report] '. settings::get('store_name'))
        ->add_body(PLATFORM_NAME .' '. PLATFORM_VERSION ."\r\n\r\n". implode("\r\n", $lines))
        ->send();
  $lines = array();
}

$lines[] = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$lines = array_unique($lines);

[rob-lindman]

Perhaps the developer will have a better answer. Apache already logs 404 codes, so I am not sure if this log is needed at all.

[mschop]

The not_found.log makes sense, if you need to display unfound links to non technical persons in the shop backend. Otherwise it's superflous (server logs). If there is no functionality to display the log in the backend, this function can be completely removed.

If it should be displayed to a customer, the logs should be stored in the MySQL-Database, because you then can store a much greater amount of entries without having a dos vulnerability. The database approach is much more flexible. E.g. if one needs to filter for a specific url.

[rob-lindman]

T.Almaroth,

I implemented this, but it caused a 500 error in my shop, so I removed it. Don't really have time at the moment to see what the issue is with the addition.

[mschop]

@rob-lindman do you have a server log entry for this 500?

[rob-lindman]

As I said, I don't have time at the moment to see what the problem is with the above code.

I think that one could just comment out this line for now in the index.php while TiM works out a solution:

    file_put_contents($not_found_file, implode(PHP_EOL, $lines) . PHP_EOL);

[mschop]

CVE-2018-10827

[rob-lindman]

what are these numbers supposed to refer to?

[paulgurney]

Hi Rob,
MSCHOP made a "common vulnerability" report, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10827

[timint]

Ok who is being a dickhead?

First of all a report of a vulnerability is very much appreciated. But..

You don't go posting it in a public forum or issue tracker. You send it silently over a secure private channel.

And you don't go posting a CVE and provide instructions how to exploit it until the author has released a fix.

Do I need to explain why or does it make good sense?

[rob-lindman]

TiM makes my day yet again!

I agree with the sentiment he's expressed... and also... this is not a serious vulnerability. Telling mom about it isn't going to save the world.