Skip to Content Skip to Menu

SubscribeMailman - security flaw!

  • Jurgentje
  • Jurgentje
  • OFFLINE
  • Posts: 5
  • Thanks: 0
  • Karma: 0
15 years 8 months ago #91308 by Jurgentje
SubscribeMailman - security flaw! was created by Jurgentje
Hi,

Just wanted to notify you all that there's a security issue with Snoopy 1.2.3 that's being used in the Subscribemailman plugin.

At sourceforge, you can download the latest version (currently 1.2.4) of Snoopy. One should really replace the file!

Here's the URL:
sourceforge.net/projects/snoopy/

Here's the vulnerability in the newsflash on the Sourceforge page:

A security vulnerability was fixed in the latest 1.2.4 version of Snoopy. It was possible to send shell commands through https url fetches that are not properly sanitized by the PHP program using Snoopy.

Please Log in or Create an account to join the conversation.

  • beat
  • beat
  • ONLINE
  • Posts: 2169
  • Thanks: 463
  • Karma: 352
15 years 8 months ago #91311 by beat
Replied by beat on topic Re:SubscribeMailman - security flaw!
Thanks for the heads-up.

We always handle security reports with first priority. Usually prefer receiving them privately, so we can first check and issue proper reply or fix. ;)

Anyway:

To make long story short: CB and Subscribemailman plugin are NOT vulnerable to this issue.


Here the analysis of the implications:

I've reviewed the security fix of Snoopy 1.2.4.

It only sanitizes the URL of the POST request.

1) Subscribemailman:

I've reviewed Subscribemailman plugin's use of that URL, and it's only a backend parameter.

So, although the Snoopy 1.2.3 it includes (instead of using the CB library) is vulnerable to this, Subscribemailman is not vulnerable (except to wierd administrators with site backend access, but that gives them more power anyway).

So Subscribemailman available from the downloads area is not vulnerable.


2) CB:

CB has an improved version of Snoopy 1.2.3, and CB 1.2's improvements already include the security fix of Snoopy 1.2.4 in Snoopy 1.2.3 of CB 1.2, and a few more.

In addition, CB itself used Snoopy only for version check with fixed url.

So from very old CB 1.0 to latest CB 1.2, none is vulnerable to that.


As a general rule of good site maintenance, we always recommend using latest stable releases.
Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info

Please Log in or Create an account to join the conversation.

  • Jurgentje
  • Jurgentje
  • OFFLINE
  • Posts: 5
  • Thanks: 0
  • Karma: 0
15 years 8 months ago #91315 by Jurgentje
Replied by Jurgentje on topic Re:SubscribeMailman - security flaw!
Thanks beat for the quick response!

Currently, I'm looking into upgrading the Subscbribemailman plugin (Joomla 1.5 - getting data from user fields in profile) to fit my own needs. Obviously when (if) I get this done, I'll put it online.

Unfortunately I'm having a hard time grasping the CB API... I've got the impression that the API guide from 2005 (for 1.0 RC) hasn't evolved along with the capabilities of CB.

f.e. I didn't know that CB has libraries similar to the Snoopy ones incorporated.

Could you tell me where I can find help/documentation/... on learning to program for CB?

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum