HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Plugin Installer

Hey guys,

I kinda needed your opinion on the feasibility of a plugin that I wrote.
It lets certain users upload plugins as zip files, and after the administrator has a quick look into the contents it installs the uploaded plugin.

Background on the use case: My board game society has a website, and now the system is that I write plugins, I upload them to Google Drive, PM the mods, the mods take the plugins and install them, but this is getting quite tedious.

Especially since I keep rewriting them to fix small flaws and then have to go through the whole process again :P

Now it seems like I'll be granted access to the web hosting, so this plugin isn't strictly necessary anymore. It would still be faster and more convenient (IMHO) to use this plugin to install plugins than to log in to the webhost, extract the zip, etc. etc.

But if I'm using it I want it to be as safe as it can be. Could anyone take a look around if they see obvious security flaws?

The idea is that the main security comes from the authorization of the user by the Vanilla system.
But the user can get their account hacked. Which is why you need to copy a random string from the config file once to "prove" you can access the website's files on the computer you're currently using. This random string is then stored on the local storage of the computer.
But people can forget to log out and other people can access their computer, which is why you need to enter a seperate password other than your account password every time to approve/delete plugins. If someone messes up the password three times, the password is removed from the config file and you have to reset it by manually editing the config file before plugins can be approved or deleted again.

Filenames are stripped from these characters < > ' " since they have no business being in there anyway, and are stored in the database until after someone approved them, at which point they'll be written out as actual files again.

Thanks guys in advance for checking it out!

River

Comments

  • LincLinc Detroit Admin
    edited November 2016

    I don't think the concept is secure from the start.

    The idea that a non-developer admin is going to review plugins received for security properly isn't realistic. If you are writing plugins for a site, you should have full admin rights and hosting access, period. If they don't trust you to turn on a plugin, they don't trust you enough to write code for them.

    I've done a cursory review of your code and you're not handling file uploads completely securely. You really need to use is_uploaded_file() and move_uploaded_file() to secure this process.

    I also regard the lack of inline doc blocks as a security risk. Making your code more difficult to follow means less people will audit it properly. You have some ad-hoc comments in there but it's really about half as much as I'd make a Vanilla developer add. I've likely reviewed more Vanilla-based code than anyone, and I found it a bit frustrating.

    You obviously are well-versed in Vanilla plugin creation and have a solid foundation to have gotten this far, but I do think this was a bit of a misadventure that I'm not eager to see others repeat.

    Caylus
  • Thanks for checking man!

    To be honest, while I was working on it I started to have doubts whether I could ever get it secure enough to actually be useful. But I kept trudging on, I guess I needed someone to shoot the lame horse already :p

    Could you remove the zip from my post so the misadventure ends here?

    And one more question if you don't mind just out of curiosity: It's obviously better to always check with is_uploaded_file (I didn't even know it existed, oops. My highschool teacher has a lot to answer for :P), but how bad would it have been?

    I gather after a quick read around that an attacker can point the $_FILE to a system file if you don't check properly, but I guess since I try to unpack the file as a zip file and if that fails the process simply ends, they couldn't have done too much damage right? Or are there system files that if they're accessed Bad Things happen?

  • LincLinc Detroit Admin

    @Caylus said:
    And one more question if you don't mind just out of curiosity: It's obviously better to always check with is_uploaded_file (I didn't even know it existed, oops. My highschool teacher has a lot to answer for :P), but how bad would it have been?

    I gather after a quick read around that an attacker can point the $_FILE to a system file if you don't check properly, but I guess since I try to unpack the file as a zip file and if that fails the process simply ends, they couldn't have done too much damage right? Or are there system files that if they're accessed Bad Things happen?

    You would be trusting the security of your system to the voodoo of zip file unpacking and whether that system can be manipulated. Or, worse, this could be used as step 2 in a 3-step attack where you didn't realize you could do steps 1 and 3. Even when the direct A-to-Z exploit isn't obvious, it doesn't mean you haven't created the bridge someone was missing in a series.

    Every chink in the armor amplifies every other one.

    So my answer is: Maybe not that bad! Or maybe really bad. :awesome:

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I side with caution. However the idea of being able to upload something and install it and not only just install it but enable it would be interesting for some who might do some design work. But because you can't trust anyone to get into the machine and not throw a wrench into it. That idea needs firewalls . Permissions .virus scans... This is totally Blackhat .. Lol

  • R_JR_J Ex-Fanboy Munich Admin

    Whatever you do that will automatically unzip a plugin needs your plugins folder to be writable by the web server. That is bad. The only writable folders should be /cache and /uploads. /conf/config.php needs to be writable too, but that's it.
    If anyone manages to hijack your server, he wouldn't be able to compromise the complete installation (hide malicious code in any file). By now the config file is a php file which gets included, so malicious code could be inserted there. As far as I know, Vanilla will get json config files in the future which will make it possible that no executable file at all will need to be writable by the server.
    If you want to set up a server in a secure way, you should prohibit write access by the server as much as possible. So whatever "upload and install" solution you find, it would be bad for the servers security.

    But if you want to take the risk, I would advice to create a plugin that will allow super admin only to install a zip from conversations only, where the zip needs to be encoded with an agreed password. That should be sufficient secure, to my opinion but others would disagree.

    If you would like to make it bullet proof (except for the fact that automatic installation of plugins weakens the security of your server setup as such), you should use some public key encryption, since they allow identifying the sender. Plugin authors could encrypt the plugin with the public key of the server and all further plugin steps would require that the sender could be identified as a trustworthy author.


    But all in all: do yourself (and the admins of that forum) a favour and get a SFTP account. You don't even need to have access to the Vanilla installation. You could have a folder /home/caylus/vanilla-plugins where you upload all your plugins. All the admin has to do would be to copy the plugin folder to the Vanilla installation.


    If they don't want to give you access to the server at all, use git! Create a BitBucket account or use any other service where you could create private repositories and upload your projects there. The admin needs to have access to the repos, too and then he can do a simple git clone YourRepo in order to get the plugin to his server.

    If you often have to create small fixes, I would advice to make them all in one plugin. One advantage would be that a simple git command could update that plugin and that would be the only action the admin has to take.

    I would go with the last option (git).


  • R_JR_J Ex-Fanboy Munich Admin

    This might be of interest: https://paragonie.com/blog/2016/08/on-insecurity-popular-open-source-php-cms-platforms

    It gives some ideas about what is secure and what is not.


    Caylus
Sign In or Register to comment.