[Clipart] Site fixup work

Sat Oct 29 13:32:27 PDT 2005

Hi all,

I know everyone's pretty tied up with other stuff, but we really ought
to get the site back in shape.

Part of the issue has been just that it's unclear what needs to be
done...  I've just gone through the site and identified all the things
that need fixed.

I've also gone ahead and divided most of the work up between us.  If
each of us can focus on particular items, the whole will get done
faster.  I hope this is okay, we really need your help - if you cannot
do it, though, let me know.

Upload Tool
===========
 1.  Implement security fixes for upload.cgi [jonadab]
   + IMPORTANT:  Eliminate concept of "other" extensions from all upload
     scripts.  See Appendix I at end of this message.
   + Reject file types beyond the specific set we accept
   + Check mimetype of uploaded files to verify the type matches the
     extension; if not, reject file
   + Move all .cfg files to /srv/clipart.freedesktop.org/etc/
 2.  Which of the upload*.cgi files do we actually need?  (Remove the
     ones that are not needed.)  [jonadab]
 3.  Review Kees' security howto for other fixes needed, and plan
     implementing them [jonadab]
 4.  Review submit.php for security vunerabilities [kees]
 5.  Install upload scripts back into cgi-bin [jonadab]

Navigation
==========
 1.  Review the navigate script for vulnerabilities [kees]
 2.  Restore navigate script [bryce]

Screenshot
==========
 1.  Review the view_screenshots.cgi script for vulnerabilities [kees]
 2.  Review the upload_screenshot.cgi script for vulnerabilities [kees]
 3.  Restore view_screenshots.cgi script [bryce]
 4.  Restore upload_screenshot.cgi [bryce]

Security
========
 1.  IMPORTANT:  Contact attacker's ISP (See Appendix II) [rejon]
 2.  Create a CGI Security Howto [kees]
   + Top 5-10 most common attacks to watch out for
   + Best practices for handling uploaded files
   + Best practices for untainting user input
   + Best practices for handling CGI params
   + Greppable things to look for in apache logs
 3.  Place links to kees' security howto in cgi-bin/README [bryce]

Wiki
====
 1.  Install latest version of MediaWiki [bryce]
 2.  Migrate the old wiki content into MediaWiki [bryce]
 3.  Update navigation links to wiki pages as appropriate [bryce]
 4.  Revise mediawiki look and feel to match OCAL site [bryce]

Incoming Bins
=============
 1.  Configure Apache to treat files in incoming/ as non-executable.
     It should only recognize PNG, SVG, RDF, ZIP, and tarballs. []
 2.  Restore the group and other read permissions for the incoming dir []
 3.  Remove exec permissions from all files in all the incoming dirs []
 4.  Remove group/other write permissions for all past incoming dirs []
 5.  Update release procedure to set old incoming dir permissions
     securely [jonadab]

WordPress
=========
 1.  Identify any security updates for our WordPress install [turnip]
 2.  Apply security updates for WordPress, if any [turnip]
 3.  Move wp-disabled to wp [turnip]
 4.  Re-enable WP in index.php (see index.php-orig) [turnip]

Feedback Form
=============
 1.  Review contact.php for security vulnerabilities [kees]
 2.  Reactivate permissions on contact.php [bryce]

Keyword Search
==============
 1.  Review keyword_search.cgi for security vulnerabilities [kees]
 2.  Restore keyword_search.cgi to cgi-bin [bryce]

Other
=====
 * Remove exec permissions from files in tools-disabled/
   [rejon, turnip, nicubunu], then rename to tools/

Appendix I
==========
Here is the cause of the problem Kees found, and how to fix it:

   } else {
     $ext = $filetype; if ($ext eq 'other') {
       ($ext) = $file =~ /[.](.*)$/; } # This can be greatly improved.
     $outfile    = catfile($CONFIG{destination_directory}, "$t.$ext");

 Basically, you'll need to eliminate the concept of "other" extensions
 from all of the upload scripts.  (They all have the same basic
 vulnerability.)  You'll need to process only known extensions so that
 .php or .cgi file (or other future things) can't be uploaded.

Appendix II
===========
Suggested wording for contacting ISP about attacker:

"Our site was compromised by X IP address on October 17th; please
investigate the incident.  I doubt international computer intrusion is
allowed in your User Agreement.  Thank you for your attention."