Forums

About ChronoForms security IMPORTANT!

eboy 17 Jun, 2009
Hello,

I want to focus attention on the ChronoForms security.

How secure is the ChronoForms?

I have found an very interesting material, that reveal that the file upload feature in form can have more than 7 security holes!

Please visit this link: http://www.acunetix.com/websitesecurity/upload-forms-threat.htm

ATTENTION DEVELOPERS OF ChronoForms:

Can the developers explain how secure is their form?
We want to use their form, but we want to know whether the ChronoForms is secure and safe to use.

Thank you very much,
Best regards
nml375 17 Jun, 2009
Hi eboy,
While I'm not an author of ChronoForms, I do consider myself an experienced server admin, and I'll take the liberty of making a reply. The list of possible exploits on your linked website is something that applies to any apache-served site allowing file uploads. There are also similar ways to introduce security holes on MS IIS servers and others.

However, first thing first. ChronoForm does not accept/handle file uploads unless explicitly told to do so from the settings in the current form. Secondly, you have full control where any uploaded file should be stored, such that you may store uploaded files "outside" the site (thus inaccessible to a malicious visitor), while the visitor only have partial control over the file name.

The extension-checker is weak, and I would personally recommend that any dot preceding the last one in the file name be replaced with a dash (-) or underscore (_) due to apache's "feature".

As such, I would argue that ChronoForms is just as safe as you let it be. If you enable file upload forms, be it ChronoForms or some custom php or cgi software, you'll have to care that the file is not stored in a fashion that permits code execution.

/Fredrik
GreyHead 17 Jun, 2009
Hi eboy,

I'd agree with Fredrick that the extension checker could be improved - but don't add either .php or .123 unless you want to invite problems. And possibly the imageheader check could be added. Other than that most of the bases are covered (.htaccess isn't under ChronoForms control).

Bob
nml375 17 Jun, 2009
One more thing came to mind...
Although you could bypass the extension check and upload a file named backdoor.php.txt (assuming you permit .txt files), and your server was set up to make use of the AddHandler directive, the uploaded file will not be known as 'backdoor.php.jpg', but rather '20090617174323_backdoor.php.jpg'. As such, you would have to know the exact server time of the upload in order to know the filename. Although this by definition is security by obscurity, it does add further constrains to the issue..

/Fredrik
eboy 20 Jun, 2009
Hello,

We have builded a complex form using chronoforms, and we have permitted only 4 type of files to upload: jpg, png, gif and tif.

The form was setuped to email the results.

Please give us an idea whether the attached files in the email are stores in secure location, that can not be executed?

I will give some info in order to help us:

The site in installed using:
1/ hostgator hosting;
2/ Joomla 1.5.11
3/ PHP 5
4/ MySql 5
5/ Apache/2.2.11 (Unix)
6/ url to the email client that receives the mailed results (on same server): http://xxx.xx.xx.xxx:2095/3rdparty/squirrelmail/src/webmail.php
7. url of the emailed image (on same server): http://xxx.xx.xx.xxx:2095/3rdparty/squirrelmail/src/download.php?passed_id=86&mailbox=INBOX&ent_id=5&absolute_dl=true

Please give us some advice and code to apply in the joomla's .htacces file.

Whether this squirremail location is secure place that code can not be executed?

Can we setup the emails to be sent outside this admin email (joomla admin email)?

Please give us example of secure folder (that do not allow code execution) in the standart linux web host account (with cPanel and joomla installation ), or advise us how to build such a folder and where to store it?

Thank you very much in advance,
Best Regards
nml375 20 Jun, 2009
Hello eboy,
Unfortunately, the information you posted does not provide any vital information as to what vulnerabilities are applicable for uploaded files on your host. Php5 suggests that the addHandler directive may be in place on the host - you'll have to ask your hosting company about this, or simply test it yourself.

Your installation of squirrelmail is beyond the scope of this topic, as it is simply an email client like any other. I cannot recall any recent issues with email attachments for squirrelmail though. Squirrelmail needs to be installed in a location that allows php-code execution, as itself is written in php.

To direct where to send the email, see the email tutorial available on this website, along with the numerous threads regarding CF and emails on the forum. Roughly put though, CF puts no restrictions what so ever on where you may send the submission result email.

A "safe" location would vary from each hoster as to how they choose to setup their hosts. Most common though, is that you'll ftp to your webserver, and find one or more directories for each domain you've got hosted, and under each domain, you'd find a special directory for web pages (usually called public_html). Anything outside this directory would be unavailable to any web browser, and would thus be beyond reach for such attack attempts.

To test whether your server is vulnerable for the addHandler directive, create a simple php-file on the server named bogus.php.jpg and add <? phpinfo(); ?> to it's body, then try to load it in your web browser. If it shows a long listing of webserver and php settings, you are vulnerable, if not, your not.

To fully protect your upload directory using .htaccess, you'd have to write something like this (writing from memory, might be some minor flaws in there. Check with the apache httpd manual if it does'nt work properly):
order allow,deny
deny all

Note that this will deny access to any file within that directory, so make sure you put it in the right place, and have some other means to retrieve the files...

/Fredrik
This topic is locked and no more replies can be posted.