[IMC-Tech] [Fwd: [IMC-Tech-Announce] Indymedia web sites AT RISK]

Sascha Meinrath sascha at ucimc.org
Sun Feb 5 11:25:36 CST 2006 

FYI:

-------- Original Message --------
Subject: [IMC-Tech-Announce] Indymedia web sites AT RISK
Date: Sun, 05 Feb 2006 04:36:52 +0100
From: Alster <alster at indymedia.org>
To: Tech Imc <imc-tech at lists.indymedia.org>,	imc-tech-announce at indymedia.org, 
imc-communication at indymedia.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

First of all, sorry for the caps in the subject line. I tried it without
last time, but seemingly the email was missed by many. Maybe it works
better this way. I'm also sorry for the cross-post to imc-communication.
I deem it neccessary to get in touch with IMCs who do not have an
imc-tech liaison for some reason. Additional emails dealing with this
topic will not be sent to imc-communication, please read imc-tech. Also,
discussion should take place on imc-tech or offlist, only. Now, please
read on, whether you consider yourself a techie or not.

There have been previous announcements of security issues on software
developed and used by Indymedia a couple months ago:

[IMC-Tech] Security issues in IMC software
Sat Oct 1 14:34:59 PDT 2005
http://ln-s.net/8-X
   OR
http://lists.indymedia.org/pipermail/imc-tech/2005-October/1001-16.html

[IMC-Tech] Repost: Sf-Active security updates
Mon Oct 10 16:44:12 PDT 2005
http://ln-s.net/8-Y
   OR
http://lists.indymedia.org/pipermail/imc-tech/2005-October/1010-4w.html

Unfortunately, by my own (and rough) estimate, less than about 50% of
all vulnerable sites have been completely fixed since, many of which
have not even been partially fixed. This means that there are currently
a lot of Indymedia web sites out there which are at medium to high risk.
Some of these risks mean that a remote attacker can run commands on your
server and, if additional vulnerabilities are present, can take it over
completely, with or without you being aware of this.

Even worse, there have been additional reports on previously
undiscovered security issues along the past weeks, which have not been
made publicly available, yet. These issues have already been fixed on a
couple sites, however, many if not most will still be vulnerable, which
means that *you need to make sure that the servers and/or IMC web sites
you adminster are secured as soon as possible*. Information on these
issues, which are already known to the developers of the codebases, will
be made publically available on the imc-tech mailing list within the
next couple of days.

It should be noted that many of these new findings result from organised
penetration tests against test sites running the most current versions
of common Indymedia codebases. This means that codebase versions earlier
than those given below may both be vulnerable to additional security
issues and may never be fixed. In other words, *you really should update
to the latest versions that contain all known patches -as listed below-*
OR make sure you backport all patches to your codebase version, run
additional penetration tests yourself and fix the holes you come across.

It should also be noted that many of the security issues which have been
discovered can be prevented by a more secure server configuration.
Several servers hosting Indymedia web sites are configured in a pretty
insecure way. As a rule of thumb, if you ever ran into PHP warnings or
errors on your web site, this is an indication of an insecure setup.
Ways to secure the servers and web sites you manage are given at
   Sysadmin.ImcSecurityDocs
As you can see much information is still missing there, and you are very
much welcome to contribute. If you are running an Indymedia codebase
using PHP, then I very much recommend to have a look at
   Sysadmin.ImcSecurityServerHardeningPHP

The following version lists are only based on my (Alster) personal
experiences and must in no way be considered anything official nor based
on any developers' statements.

Indymedia codebases which have been tested for security issues:

dadaIMC 0.9.9.3 AutoUpdate "2005-14-05 11:01" [1], applied on or after
Feb 01 2006

sf-active 0.9.8-CVS as of Feb 01 2006

mir 1.1-CVS (only partially tested) as of Feb 01 2006

Oscailt 3.0-CVS (only partially tested) as of Feb 01 2006

No other codebases have been thoroughly tested.

[1] Do not rely on dates given in the changelog, I've seen changes being
made to AutoUpdates after the changelog date as well as modifications of
changelog dates. Also there obviously is a typo in "2005-14-05" which
assumely should say "2005-12-05" (but security related changes are
assumed to have been made after this date).

Oldest versions of Indymedia codebases which most or all available
security patches are assumed to be provided for in a packaged way (read:
'supported'):

dadaimc 0.9.9.3
   - upgrades from 0.9.9.x and 0.9.8.2 versions have been successfully
conducted
   - anything below 0.9.9.3 should not be used for publically accessible
websites unless selfmade patches were crafted and applied

sf-active 0.9.8
   - some patches have been backported to 0.9.4 and to earlier versions
   - anything below 0.9.4 should not be used for publically accessible
websites unless selfmade patches were crafted and applied
   - do not trust the version number your sf-active installation reports
(it is likely to be incorrect), ask your server admin to determine it
for you

mir 1.1 (yet unreleased)
   - some patches have been backported to 1.0
   - anything below 1.1 should not be used for publically accessible
websites unless selfmade patches were crafted and applied

Oscailt 3.0 (yet unreleased)

Once again: The above lists are based on personal experiences only and
must in no way be considered anything official nor based on any
developers' statements.

Please make sure your IMC's techies are subscribed to both the imc-tech
mailing list
   http://lists.indymedia.org/imc-tech
and the mailing list(s) related to the softwares your IMC uses, and that
they actually follow these mailing list to be able to learn about newly
reported security issues. This does not seem to be the case for several
IMCs, at least that would be a logical explanation (besides language
issues, being too busy to administrate a server or web site, and
laziness) why many sites are still vulnerable to the security issues
announced in early october last year (see URLs above).

If you have any questions about the information contained in this email,
please contact me at alsterATindymediaD0Torg. If you have any specific
questions about some of the codebases mentioned in this email, please
read their manuals and/or contact the relevant mailing lists (see
http://lists.indymedia.org). If you have general questions about
information technology and security, please contact the publically
archived mailing list imc-techATlistsD0TindymediaD0Torg. If you are
aware of security issues which is not currently publically known, please
contact the non-public mailing list imc-securityATlistsD0TindymediaD0Torg.

*Please do not ask codebase developers for information on the
unpublished security issues*. They cannot help you with this until this
information has been published.

Thanks for reading,

Alster
- --
GPG key
http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
Fingerprint    1B8B 128F 8435 541C B3A5 1B7E CF5A 9D55 0505 9C17
All other      http://docs.indymedia.org/view/Main/AlsteR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5XLUz1qdVQUFnBcRAk/eAJ0bakgsuxuLZaOOxMS18ewDSX0SYgCfepoI
b8bU4Jphl69Z939Z9XAw44Y=
=w8jU
-----END PGP SIGNATURE-----
_______________________________________________
IMC-Tech-Announce mailing list
IMC-Tech-Announce at lists.indymedia.org
http://lists.indymedia.org/mailman/listinfo/imc-tech-announce




-- 
Sascha Meinrath
Policy Analyst    *  Project Coordinator  *  President
Free Press       *** CUWiN               *** Acorn Active Media
www.freepress.net *  www.cuwireless.net   *  www.acornactivemedia.com

More information about the IMC-Tech mailing list