Possible Net Objects Fusion 9 Vulnerability

I regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting.

Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower).

The vulnerability is easy to exploit. In your browser enter:
http://domain.com/_versioning_repository_/rollbacklog.xml

Now enter:
http://domain.com/_versioning_repository_/n.zip, where n is the number you got from rollback.xml.

Then, open Fusion and create a new site from the d/l’ed template. Edit and republish.

This means that anyone can edit a NOF9 site and get any usernames and passwords involved in it. Every site using versioning in NOF9 is exposing their site.

Website Pros has refused to fix the hole. The only concession that they have made is to put a warning in the publishing dialog box telling the user to “Please make sure your profiles repository are [sic] stored in a secure area of your remote server.”

I don’t use NOF9, and I haven’t tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don’t know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities.

Tags: , , , ,

Posted on November 21, 2005 at 12:31 PM13 Comments

Comments

Roy Owens November 21, 2005 1:39 PM

I once discovered on a Sun Unix system that I could unzip a file I had no ‘rwx’ privileges to, and the upshot was that I owned the unzipped file.

This proved useful for removing obsolete files from shared areas when the owner wasn’t available.

Still, it bothers me that I was allowed to do it.

Tim Howland November 21, 2005 2:00 PM

Google doesn’t seem to return any hits for “versioning_repository/rollbacklog.xml” or just rollbacklog.xml – this suggests one of two things:

1) Nobody anywhere on the internet ever wrote a document named “rollbacklog.xml” that google indexed (an infinite number of monkeys, but still a finite amount of time…)

or

2) Google has been persuaded to block queries for this vulnerability until the manufacturer can fix it….

Woody November 21, 2005 2:18 PM

@Tim

3) NOF9 is using a robots.txt file to ensure that those files don’t get added to the searches.

If you knew a search string to locate NOF9-based sites, then you could generate the list of sites, and then ask each site for the above files.

Or…

4) No one actually uses NOF9…

Gary November 21, 2005 2:50 PM

I don’t think NOF 9 has been out that long, hence hard to find.

This vulnerability seems to be on so many levels – publishing the site versioning repository to the web, but mostly storing the credentials with the repository…. NOF seems like a single-user kind of product, not a distributed authorship product. I can see storing the versions server side (optionally), but storing the saved credentials too? That’s beyond “vulnerability” – that’s just dunderheaded.

Dan November 21, 2005 2:58 PM

Yeah, based on a few google searches, there doesn’t seem to be any sites running version 9 at all. Too bad, I would’ve liked to have a go at this.

Josh November 21, 2005 9:17 PM

@Bruce

You should be careful about your comment “I don’t use NOF9, and I haven’t tested this vulnerability. Can someone do so and get back to me?”.

Judging by the comments above, it seems some people have interpreted your request for a “test” as a request to “crack” a live Internet site. 🙂

Dan November 22, 2005 2:01 PM

Well, that’s not my intention, anyway. At least not until the point it’s obvious that’s what it will take to get a proper response from the company that publishes something like that…

Chris December 2, 2005 2:27 AM

Your posting is wrong, the company behind NetObjects did indeed address the issue. Although the feature was targeted at Designers who ought to protect those files anyhow, or at least publish them above root.

An update was released on 16 of November, which is before your post. So whoever was feeding you anonymous news was a little bit out of date.

Juha-Matti Laurio December 9, 2005 8:52 PM

Bruce, is this worth of contacting security companies that their advisories see listed NetObject as vulnerable (see Chris’s opinion and information)? Three advisory URLs mentioned at my previous comments.

Juha-Matti Laurio February 18, 2006 1:28 PM

It seems that two security companies has updated their advisories.

Secunia list this issue as patched and says
“Solution:
Apply Update #1 and store the files outside a web accessible directory.”
FrSIRT has the same solution. SecurityFocus lists no ‘Not Vulnerable’ product versions yet.
I have informed them with new information today.

Arthur Danielles July 5, 2019 8:19 AM

Hi
Great article – first time visiting your site and have bookmarked accordingly.
I’d be interested re your views on how web hosting providers are currently touting ssl as the next best thing for web hosting though my opinion is that unless you are SELLING or i.e utilising mercantile outlet facilitation is SSL a necessary? Illicit webs and that includes false, con artistes paradise online sites and more of course pose problems re legit site owners/publishers but does SSL really negate the future re the internet and security? Surely the namby pamby mummy state that advocates a myriad of safety measures that put common sense to the test such as teaching your kid road sense but now you have to sit and read through all these leaflets on road safety and and ? Surely the major problems re internet security and site safety re if you are merely browsing info et not buying or using mercantile outlets to purchase et does not need an ssl certificate? Also does a web hoster who does not apply an SSL certificate have to suffer the declaration shown that the safe is not safe?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.