Blog

Security Advisory

August 2, 2016 | Posted by Paul


We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.

Description

This update addresses two security concerns:

  1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
  2. Full Path Disclosure.

Resolution

If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231

Mitigation

It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

<?php
...
Configure::set("System.debug", true);

Change this to:

<?php
...
Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).

Credits

These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.

Tags:

Security Advisory – Two-Factor and Privilege Issues

May 14, 2014 | Posted by Cody


Affected Versions

Versions 3.0.0 through 3.1.3 are affected.

Description

A user with a valid username and password may be able to properly validate two-factor authentication using TOTP by guessing the correct code. This issue is classified as a Low vulnerability. (CORE-1213)

An authenticated staff member may be able to affect settings in the system where they are otherwise prohibited via ACL restrictions, via carefully crafted HTTP POST requests under limited circumstances. This issue is classified as a Moderate vulnerability. (CORE-1163)

Resolution

If you are running 3.0.x or 3.1.0 through 3.1.3 upgrade to version 3.1.4 or version 3.2.0.

Related tasks:

  1. CORE-1163
  2. CORE-1213

Credits

CORE-1163 was discovered by the Blesta Development Team. CORE-1213 was discovered by Kyle at MemoryX2.

Tags:

Security Advisory – Various Staff Permission Issues

February 26, 2014 | Posted by Cody


Affected Versions

Versions 3.0.0 through 3.0.9, and 3.1.0 through 3.1.1 are affected.

Description

Active and valid staff members may be able to access areas of the application without proper ACL permissions. Additionally, staff members may not be logged out immediately after being made inactive. These issues are classified as Moderate vulnerabilities. Patch release 3.0.10 and 3.1.2 correct these vulnerabilities.

Resolution

If you are running 3.0.x upgrade to version 3.0.10. If you are running 3.1.x upgrade to version 3.1.2.

Related tasks:

  1. CORE-1062
  2. CORE-1063
  3. CORE-1064

Credits

CORE-1062 was discovered by Nerijus Barauskas at NGnTC. CORE-1063 and CORE-1064 were discovered by the Blesta Development Team.

Tags:

Security Advisory - Staff Permission Escalation

February 12, 2014 | Posted by Cody


Affected Versions

Versions 3.0.0 through 3.0.8, and 3.1.0 are affected.

Description

Active and valid staff members may be able to gain additional permissions through crafted URLs. Because this issue requires that the user have an active and valid staff member account, this is classified as a Moderate vulnerability. Patch release 3.0.9 and 3.1.1 corrects this vulnerability.

Resolution

If you are running 3.0.x upgrade to version 3.0.9. If you are running 3.1.0 upgrade to version 3.1.1.

Related tasks:

  1. CORE-1045

Credits

CORE-1045 was discovered by Nerijus Barauskas at NGnTC.

Tags:

Security Advisory - Cross-site scripting vulnerabilities

December 20, 2013 | Posted by Cody


Affected Versions

Versions 3.0.0 through 3.0.6 are affected.

Description

Some content may be rendered in the client and admin interfaces, as well as through the Support plugin without proper sanitization, possibly making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.7 corrects these vulnerabilities.

Resolution

Upgrade to version 3.0.7, or uninstall the affected plugins. Related tasks:

  1. CORE-877
  2. CORE-931
  3. CORE-932

Credits

CORE-931 was discovered by Clifford Trigo (@mrtrizaeron) and Evan Ricafort (@robinhood0x00). CORE-877 and CORE-932 were discovered by the Blesta Development Team.

Tags: