Security bulletin 2012-20-02

[Micha]

During internal audit activities we found security issue that make Vivvo potentially vulnerable to attackers who wish to gain access to the application sensitive data. We have released the security update which includes the following improvements.

4.5.x branch and 4.6 branch:
- Protection from File disclosure attacks has been improved.


SEVERITY
Moderately critical

IMPACT
- Malicious users may disclose the contents of CONFIGURATION table via a cache file.

WHERE
From remote.

AFFECTED VERSIONS
All Vivvo versions from 4.5 to 4.6

SOLUTION
We strongly recommend Vivvo users to install the security fix available in the HelpDesk 'File Area'. Alternatively, for users without valid license subscription, you can download the fix attached to this post.

Installation instructions can be found in the README file.


If you face any problems during or after the installation, feel free to contact our support team for help.

Best regards,
Vivvo Support team

[agouni]

Hi there,

The problem is you clean the cache, the .htaccess is removed.

Thanks

[Micha]

Quote:

Originally Posted by agouni

Hi there,

The problem is you clean the cache, the .htaccess is removed.

Thanks

This has been fixed.
Please download the archive again and upload the files to your website.

[zontech]

Thanks for the vigilant work.

Just downloaded the (updated?) fix db_maintence.php filesize=17,489 and applied as directed.

But after that, on attempting any of the 4 manual tasks (clean cache etc) get the error:

Quote:

Fatal error: Call to undefined method vivvo_lang::get_instance() in /var/www/vhosts/mysite.com/httpdocs/admin/db_maintence.php on line 31

Running 4.1.5.2 which has been very stable and robust.

[zontech]

Re: The security patch 30 June 2011 - compress.php; filesize=4767:
In the header it states:

Quote:

* $Revision: 5491 $
* $Date: 2010-06-10 15:13:09 +0200 (Thu, 10 Jun 2010) $
*
* Vivvo CMS v4.5.2r (build 6082)

Was this patch also relevant for ver 4.1.5.2?

TIA

[Micha]

Quote:

Originally Posted by zontech

Thanks for the vigilant work.

Actually Musarika one of our forum members here spotted this issue and let us know, so one big thanks goes to him

[zontech]

Feel free to delete my posts if that makes it more difficult for hackers, snoopers, and drongos to figure out what's going on.

[Micha]

Quote:

Originally Posted by zontech

Re: The security patch 30 June 2011 - compress.php; filesize=4767:
In the header it states:

Was this patch also relevant for ver 4.1.5.2?

TIA

We're still testing this on 4.1.x versions, and so far none of them were affected.
Nevertheless, if you wish to be on the super-safe side, just upload .htaccess from the patch provided in the first post into your cache folder, than go to

admin/db_maintence.php file, and around line 89, replace following line

PHP Code:

if ($filename != "." && $filename != ".." && !is_dir($dir . $filename)) { 


with this one

PHP Code:

if ($filename != "." && $filename != ".." && $filename != ".htaccess" && !is_dir($dir . $filename)) { 


This line should be changed only once where $dir = VIVVO_FS_ROOT . 'cache/'; is mentioned.

[zontech]

OK thanks - uploading the .htaccess file in the patch (30 bytes) and modifying the original 4.1.5.2 file to

Quote:

if ($filename != "." && $filename != ".." && $filename != ".htaccess" && !is_dir($dir . $filename)) {

still permits all 4 manual tasks to proceed, and does not delete the .htaccess file during any of these operations.

Will await next advice on this.