November 27th 2008

Security Advisory: Please review security settings in MWPSK 1.2.1 or earlier

We discovered that missing authorization settings in web.config enable not authenticated users to upload content to the app_data folder.

We rate the severity of the error with HIGH and we are applying the Emergency operation procedure (Security Operation Procedures) in order to solve the problem and we invite everyone else to also act according to these recommendations. We have created them to cope with such an incident.

Please check the authorization tag in your web.config. It should contain the following lines:

      <location path="FCKeditor">
            <system.web>
                  <authorization>
                        <allow roles="Administrators,PowerUsers"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>

When will a solution for the problem be available?

The problem is solved in the latest version (1.2.2) of the starter kit.

What does this really mean for my installations?

Someone who knows about how to do it could potentially gain access to any data file stored as part of any MWPSK based website and upload his own files or overwrite them.

What can I do as a first measure to defend my website against such a hacker attack?

You should backup your site now by downloading the whole content of the \app_data folder to your local machine.
Then add the missing settings to the web.config file or copy the latest version (1.2.2) of the starter kit.

What if I’m using an older version of MWPSK (like 1.1)?

Every version older than 1.2.2 needs to be checked for its security settings.


Last edited Nov 28, 2008 at 8:57 AM by dirkp, version 2

Comments

CliveMason Jan 13, 2009 at 3:55 PM 
('m a new user). I've loaded 1.2.2 and compiled it successfully. I've also started it in IIS, but when browsing (http://localhost) it returns HTTP Error 500.19 - Internal Server Error. Error code 0x8007005 "Cannot read configuration file due to insufficient permissions". Advice is given on how to correct this (by creating ....\IIS_IUSRS with read permission for the web.config file) which I've followed, but the same error message repeats.
Any advice please?