Topic: Various FA Vulnerabilities that need to be addressed

SecurityMaverick.com has listed a few and one such code that limits entropy is here.

Line 973 in reporting/includes/pdf_report.inc:

                $fname = $dir.'/'.uniqid('').'.pdf';

can be changed to

                $fname = $dir.'/'.md5(uniqid(mt_rand(), true)).'.pdf';

This improves the entropy from 10 to 29 bits but is still not good enough and is used in line 69 of includes/ui/ui_controls.inc.

Other places like this are in some repXXX.php files:

$filename = company_path(). "/pdf_files/". uniqid("").".png";

that need similar changes. Several others files in FA use uniqid too and will need some changes like this.

With or without the more_entropy option, uniqid(), as represented in the PHP sample code and documentation, results in poor entropy and should not be used.

@joe: can we include this in both repos?

Re: Various FA Vulnerabilities that need to be addressed

@itronics: Thanks for the quick commits in FA 2.3 and FA 2.4. There seem to be some files left out.

The file includes/main.inc is expected to be included in every instance where it is used as the new function random_id() is defined there and it refers to a variable $cstrong which is not assigned yet. This is mostly okay as it is a return diagnostics value only. If there are any errors then just assign it a blank string before invocation as it is passed by reference.

The following files too use uniqid still and no changes in them yet in the commit done now:
1. includes/ui/ui_view.inc - $name = uniqid('_el',true);
2. reporting/includes/class.mail.inc - $this->boundary = md5(uniqid(time()));
3. reporting/includes/tcpdf.inc - $owner_pass = uniqid(rand());

4. sales/includes/cart_class.inc - $this->cart_id = uniqid(''); - This is just temporary cart id used to avoid erroneous concurrent edition inside single user session. This is not used in urls, so the security problem does not apply here.

In FA 2.4 additionally:
1. includes/dashboard.inc - $filename = company_path(). "/pdf_files/". uniqid("").".png"; - Fixed in this commit.

When changes are made to the files above, we need to make sure that the said new function random_id() is available therein. Those using it in extensions and using SOAP / RESTful APIs too need to take care by defining the function if it dows not exists at the point of invocation.

Re: Various FA Vulnerabilities that need to be addressed

As of 2015: PHP bug #70014 affects the reliability of openssl_random_pseudo_bytes(). paragonie/random_compat, backports random_bytes() from PHP 7 into PHP 5. One of the fallbacks it supports is openssl_random_pseudo_bytes(), but if it can read directly from /dev/urandom it will prefer that instead.

As of 2016: There's another bug with openssl_random_pseudo_bytes() (71915), which can result in duplicate values when you run it multiple times with the same process ID. Looks like it's fixed in 5.6.24.

Re: Various FA Vulnerabilities that need to be addressed

@itronics: please replace line 372 in FA 2.3's includes/main.inc:

    $id = strtr(base64_encode($bin), '+/', '-_');    // see RFC 4648 Section 5

with

    $id = strtr(base64_encode($bin), '+/=', '-_x');    // see RFC 4648 Section 5

and likewise in FA 2.4. The pad character "=" can be got rid off this way.
Before your commit, it was a 13 character file base name and it is now 24 (multiples of 8).
The original filename was like:
    dLPhO1A-K5vj5Dq4NxBA7w==.pdf
and the new file name will be like:
    4vuNUMXvAVsQVuHEVzlrdwxx.pdf

** Fixed in FA 2.3 and FA 2.4 commits.

Re: Various FA Vulnerabilities that need to be addressed

The current commits for this issue breaks excel report formation consistency. Zero byte excel file downloads occur frequently and sometimes it works correctly.

The file includes/main.inc is "included" in the includes/session.inc file (apart from during installation in the install/isession.inc). It may have been possible that the file redirection (reporting/prn_redirect.php) to download the excel file did not have this initially - the said session file seems included though.

Line 719 in reporting/excel_report.inc:

        meta_forward($path_to_root.'/reporting/prn_redirect.php', "xls=1&filename=$this->filename&unique=$this->unique_name");

causes the redirection to download the excel file.

Line 33 in reporting/prn_redirect.php:

    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);

seems to do some replacements that affect the downloaded filename.

@itronics / @joe: Is this necessary in the light of the current commits?

Post's attachments

ExcelReporting_failure.png 29.1 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Re: Various FA Vulnerabilities that need to be addressed

Consistent Excel Report download SOLVED!

First we need to include the fix in post 4 of this thread.
The issue of filenames starting with a hyphen or underscore may need to be addressed.
The function clean_file_name() in includes/main.inc can also do the job.

Since we are now allowing underscores(_) and hyphens (-) in the random_id()'s filenames, we need to allow it for excel filenames for download too.

Lines 30 to 55 in FA 2.3's reporting/prn_redirect.php:

if (isset($_GET['xls']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    header("Content-type: application/vnd.ms-excel");
    header("Content-Disposition: attachment; filename=$filename" );
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}
elseif (isset($_GET['xml']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    header("content-type: text/xml");
    header("Content-Disposition: attachment; filename=$filename");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}

can be replaced with:

if (isset($_GET['xls']) || isset($_GET['xml']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace("/[^0-9_a-z.\-]/i", '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    if (isset($_GET['xls'])) header("Content-type: application/vnd.ms-excel");
    else header("content-type: text/xml");
    header("Content-Disposition: attachment; filename=$filename" );
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}

@joe: please update both repos.

PHP PCRE (Regular Expressions) - CheatSheet | Tutorial.

Post's attachments

FA23_excel_dl.diff 1.6 kb, 1 downloads since 2017-03-19 

You don't have the permssions to download the attachments of this post.

Re: Various FA Vulnerabilities that need to be addressed

This issue is now fully fixed in both versions in the official repo.

Those using the dashboard theme/extension and the dynamic and exclusive themes can make similar changes in the following files for FA 2.3 and where appropriate in the themes in FA 2.4:

Extensions

Line 92 in dashboard/widgets/customers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/dimensions.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 97 in dashboard/widgets/glreturn.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 98 in dashboard/widgets/items.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/suppliers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";

Line 93 in import_transactions/includes/import_sales_cart_class.inc - $this->cart_id = uniqid(''); - Localised, so no change needed

Themes

Lines 306, 405, 506, 560, 623 in dynamic/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Lines 265, 364, 465, 519, 582 in exclusive/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";

The official repo for extension distribution for FA 2.3 will not be updated since it is EOL and if done will affect those with non-bleeding edge installs.