Contao and Security

[andi]

According to secunia there are unpatched vulnerabilities in Contao. How is actually Security Issuses handled sites Contao.

i.e.
http://secunia.com/advisories/48180/
Ivano Binetti has discovered a vulnerability in Contao, which can be exploited by malicious people to conduct cross-site request forgery attacks.

As Contao is existing since 2006 the reporting of security related issues seems not to be very common in the community or is Contao so secure that it does not have security issues?

[leo]

First of all, the reported issue never really was an issue. To exploit the "vulnerability", the malicious website would have to know the domain name of your Contao installation, which is very unlikely!

Second of all, the request token system prevents this kind of attack, so the report can be considered fixed (and outdated).

[dmy]

Dear Leo,

To exploit the "vulnerability", the malicious website would have to know the domain name of your Contao installation, which is very unlikely!

Well, if you are mounting an attack on someone's web site, you actually do know the domain name, as well as lots of other information.

Second of all, the request token system prevents this kind of attack, so the report can be considered fixed (and outdated).

You might have noticed that, in this software, all the delete actions are performed by GET requests, not POST ones, as I suspect you are thinking.

Well, let's confirm the issue by ourselves! I have taken liberty to download, install, and test the version 2.11.9, which seems to be the latest release of 2.11.x LTS branch. As far as I see, this is the branch that is reported to be vulnerable, so it fits perfectly for the demo.

If you check the URL of the link you click on when deleting something, it looks something like this:

Code:

http://[host]/contao/main.php?do=page&act=delete&id=1

where the value of "do" parameter varies depending on what type of objects you are operating on, and "id" varies depending on the exact object to be deleted. Please notice that there are no tokens of any kind in the link.

To test things out, you can simply copy & paste the link into a new browser tab and make the browser perform the request. See what will happen -- the stuff gets deleted! Congratulations, you have performed your first, very basic, CSRF attack! It looks ridiculous when that simplified, but... Bear in mind that, for example, the attacker might put the URL you've just used anywhere -- in any HTML tag that requests a remote resurce; often, the IMG tag is used for the purpose. Just visiting a page specially prepared for you by a "friend" might be enough to kill your user on the installation you own.

You might also want to review the theory behind the cross-site request forgery attack types on web applications. Let me provide you with some fine reading:
1. https://www.owasp.org/index.php/Cross-S ... %28CSRF%29
2. http://www.cgisecurity.com/csrf-faq.html

Have fun!

With kind regards,
dmy

[leo]

if you are mounting an attack on someone's web site, you actually do know the domain name

That's true, but you forget that you also have to make your victim open the malicious website and this website has to be opened in the same browser as the Contao installation and the victim has to be logged in to the back end at this time and the victim has to have sufficient permission to delete the item! These are a lot of requirements for the exploitation.

And even if you manage to meet all those requirements, you can only attack one single website. And what damage can you do? Sure, you can delete things via GET, because we intentionally allow deep-linking in the back end. But thanks to the undo function, you can restore any deleted resource, so the data is not lost.

Please understand that I am not saying that this is not an issue! It is just not that critical an issue as said in the security report.

Second of all, the request token system prevents this kind of attack

Please download Contao 3 and run your tests again. You will see that the request token system prevents the attack.

[dmy]

That's true, but you forget that you also have to make your victim open the malicious website and this website has to be opened in the same browser as the Contao installation and the victim has to be logged in to the back end at this time and the victim has to have sufficient permission to delete the item! These are a lot of requirements for the exploitation.

We rarely get an exploit that works in 100% of cases. Always there are multiple conditions that have to be met for a successful exploitation. Cross-site scripting attacks by default are not reliable, and have substantial difficulties you mentioned above. That is the reason they are usually rated as "less critical" and have medium complexity by CVSS2 score. But the potential impact ranges from simple annoyance to complete compromise, thus they are not to be disregarded.

And even if you manage to meet all those requirements, you can only attack one single website.

That is usually the aim. Vandalising millions of sites via a cross-site scripting vulnerability is a very hard task indeed. :D But one... That is certainly possible.

Please understand that I am not saying that this is not an issue! It is just not that critical an issue as said in the security report.

I'd really like to point out once more that these vulnerabilities are rated "less critical" everywhere -- it is the common practice. Some, though, rate them higher.

The bottom line of this discussion is -- please, do not disregard ANY reported vulnerability just because you cannot come up with a good plan for total mayhem using this one. Keep your software safe and your users protected.

Please download Contao 3 and run your tests again. You will see that the request token system prevents the attack.

I certainly will! Thanks for the suggestion.

With kind regards,
dmy