File Module Vulnerability

[Alex]

Severe vulnerability that affects all versions of File Module was discovered today.

The updated files are available here:

http://www.eastwright.com/internet/ttxfile/index.html

To retrieve your account info use Password Finder: https://www.eastwright.com/billing/accview.pl

Please replace the module as soon as possible. If not able to download, delete the TTXFile.pm from your server. Shoot first, ask questions later. Also, here is quick fix (all versions)

Replace line (near the end of TTXFile.pm) that reads

  if (!open(F, "$dir/$fid")) {

with

  if (($fid !~ /^\d+-\d+-\d+-\d+\.dat$/) || (!open(F, "$dir/$fid"))) {


Edit by Sparky:  Stickied

[Sparky]

Are you able to explain the nature of the vulnerability?   Like what sorts of bad things could happen if this is not fixed?

Thank-you.

[Alex]

I would prefer to avoid discussing possible exploits on the forum. Trust me, it is severe vulnerability. Act promptly. See PM for details.

[Alex]

Quick follow-up. All updated versions of TTXFile.pm have revision 759, the revision number is on the first 12 lines of file:

Code:

package TTXFile;
#
# This is an optional File module for
# Trouble Ticket Express help desk package.
# http://www.troubleticketexpress.com
#
# COPYRIGHT: 2004-2009, United Web Coders
# http://www.unitedwebcoders.com
#
# $Revision: 759 $
# $Date: 2010-03-15 22:17:53 -0400 (Mon, 15 Mar 2010) $
#

[Rogue]

Thanks for the update Alex. My files were compromised overnight.

Forgive my ignorance, but is there a mailing list or a thread I can subscribe to to receive security alerts like this?

[Alex]

Actually we publish RSS feed, but it is self-hosted and we powered down most software for vulnerability audit... It looks like using 3rd party solutions is more reliable in this case.

You may use http://twitter.com/eastwright

We will provide references to Twitter feed within TTX and on site later.

[somedud3]

Someone posted this ttx.cgi?cmd=img&fid=|whoami| on http://isc.sans.org/diary.html?storyid=8437
i hope its patched

[Rogue]

You may use http://twitter.com/eastwright

Thanks, subscribed.

[NXP]

Is it normal that the red box with "Security Alert!" is still flashing at the bottom of the page even though I have replaced the files?

[Rogue]

Is it normal that the red box with "Security Alert!" is still flashing at the bottom of the page even though I have replaced the files?

Download the latest version of TTX and replace the ttx.cgi on your installation.

[Alex]

To get rid of banner please replace ttx.cgi as well. The old ttx.cgi is not vulnerable, but it fetches update notification image from old location and we replaced the image with a flashing banner. The updated ttx.cgi gets the image from new location. Please download appropriate TTX package (the one, that matches your current version) from here

http://www.troubleticketexpress.com/download.html

unpack archive and upload new ttx.cgi to your server. Doing this will stop flashing banner.

[baldur2630]

Hi Alex,

We have TWO TTX Modules from you one 2.24 and the other 3.x

We've had them for quite some time. Both have the files module.

I have absolutely no idea where to find my account name. I've tried my Forum name, I've tried my email address and I can't even get my password, but I'm pretty sure I know what THAT is, it's just the account ID's that are lost in time.

Can I PM you with the email addresses perhaps? I certainly don't want to advertise them here.