Updated files?
Closed this issue · 27 comments
Hi, are you able to supply the modified files for those of us not using GIT? or is there a quicker way to process the contents of the diff file it's hard to read.
One of my clients uses Lemonstand and can confirm it has been compromised, fortunately not a single order has been made so no data breach :) .. I setup the eCommerce store for them but they decided to use it to list products only and do all sales offline so we dodged a bullet but would still like it patched.
Thanks for finding this.
I agree that the files would be helpful. While the header and class files are provided, the files that make up the patch would be great. I tried uploading to site root and applying the patch (ssh'd to server):
patch -p1 < security-update.diff
It seems to have mostly applied the patch, but got some errors. The config/keys file does exist and has the long string.
But when I try to update the LS admin I get a message that the version isn't found.
Hello, thanks for the feedback.
It is easier to read with syntax highlighting like on github: https://github.com/evocode/lemonstand-patch/blob/master/security-update.diff
If I distribute the other files then it is likely to break something as you could be using a different version of LS or using a modified one.
@emergingdzns Do you have any specific errors you can share? The initial error when you login that says COOKIE_SALT is not defined is part of the update process.
Thanks Patrick. I actually was able to decipher the patching process. I edited the files adding the lines your diff said and removing the lines it said to subtract. I then logged out of admin and back in. I didn't get the error about the salt not being defined. When I go to the Updates section it says that the module (core) version not found in database. I assume that there are no further updates if I was updated before correct?
Lastly, how do we see what data is compromised in the lemonstand_header.png file? I have two files from two different sites and no matter what I open it with it just shows me the png.
Does config/keys.php exist? Do you have the LS setting turned on to apply updates upon login?
I am not sure what the module (core) version not found in database would be referring to, but it doesn't sound like it applied yet. Updating via the LS updater may not work since LS hasn't pushed any updates.
The compromised data is encoded and stored at the end of the png file. It also still is a valid image so you will have to open it via the command line or another text based editor to see the encoded data and decode it. Alternatively if you need help, please contact me via email and we can discuss.
@emergingdzns I believe the module (core) version not found in database error is normal. I had to create a new version to apply the new LS update that doesn't exist with LS since they stopped creating updates. So it makes sense that new version no longer exists for them.
I've gone through all the steps but now can't log into the backend. It's giving me "Invalid configuration value (COOKIE_SALT)", same error on all frontend pages now too.
The array value in keys.php is empty.
@ndcisiv You have to login twice. The COOKIE_SALT error is normal as part of the update. If you did that twice and still have the error, then there is something else going on.
I've attempted to log in about a dozen times. It's giving it every time.
@ndcisiv If the COOKIE_SALT is still blank after logging in twice and core_versions has the new version, then your sever was unable to generate a secure salt. Basically this means there is not a cryptographically secure method to create the salt on your server so it didn't create one in favor of creating one manually.
So can I create one and add it to the config manually? How long does it have to be?
@ndcisiv At least 10 characters. Alternative you can run something like this on your computer:
<?php
# generate.php
require PATH_APP.'/phproad/thirdpart/random_compat/lib/random.php';
$string = random_bytes(32);
$salt = bin2hex($string);
print_r($salt);
And run it php generate.php. Then save that as your COOKIE_SALT in config/keys.php.
Sweet, that worked. I'm in. Thank you.
Closing this as I will stick with the diff for now unless it causes more problems.
I also put together a troubleshoot guide for these common issues.
My keys.php looks like this - what calls this? Im asking as Im using https://github.com/damanic/ls1-module-core for LS updates so the patch doesn't apply without errors.
<?php
if (!isset($CONFIG))
$CONFIG = array();
if (!isset($CONFIG['COOKIE_SALT']))
$CONFIG['COOKIE_SALT'] = '<long string here>';
@thinkingcap The keys.php file gets auto-loaded by Phpr_Config which gets used by the new salted_cookie method in the diff.
EDIT: Alternatively you can also just place COOKIE_SALT into your config/config.php file. This was originally designed to be a lemonstand update and needed a new config file as we can't safely auto-edit the main config.
Thanks. Looks like Ill have to copy paste from the diff then.
Are the files available somewhere for download?
@thinkingcap You should also be able to modify the diff to adjust version.dat, specifically just increment to the next version. I can't think of any reason why the other changes would fail to apply. Keep in mind this will make you out of sync with the other updater because of the new version.
@thinkingcap The diff looks like a bigger then it is because of that library to generate the salt. If you already have that then there is a couple of changed lines in ~4 files.
Is there a way to test that the vulnerability can no longer be exploited?
@thinkingcap Interesting, I haven't seen that attack vector before. Some thoughts:
- New attack vector
- Someone removed it
- Lemonstand update process somehow restored it
- ?
Can you check your codebase to see if any PHP files have reference to that image?
I can't release the steps to exploit it yet until enough time has passed to give everyone a chance to update. If you want to email me some URLs, I can check from my end until Part 2 of the post.
having a download of the files to change and locations would be very handy. I don't have the core files under git, just the theme etc.
@asecondwill I will look at bundling them later today but it will have to come with a disclaimer somewhere that you should not drag and drop the files in as your versions could mismatch the ones I bundled. In the meantime if you want to apply it manually, youcan read the diff on github for syntax highlighting. There are only changes to about 5 files and the library is bundled and can be copy and pasted.
@asecondwill If you're not confident applying the patch then use this
https://github.com/damanic/ls1-module-updatecenter
Released an update https://github.com/evocode/lemonstand-patch/releases/tag/v2.0 that is a restructure only. No files were changed regarding the patch. Only bundling in new files with manual instructions.
Thanks @patrickheeney, successfully completed the manual update :)
@thinkingcap - thanks ill look into that, but i've successfully applied this patch manually, was pretty simple. Thanks @patrickheeney for the alert and patch.