Possible Net Objects Fusion 9 Vulnerability

I regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting.

Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower).

The vulnerability is easy to exploit. In your browser enter:
http://domain.com/_versioning_repository_/rollbacklog.xml

Now enter:
http://domain.com/_versioning_repository_/n.zip, where n is the number you got from rollback.xml.

Then, open Fusion and create a new site from the d/l'ed template. Edit and republish.

This means that anyone can edit a NOF9 site and get any usernames and passwords involved in it. Every site using versioning in NOF9 is exposing their site.

Website Pros has refused to fix the hole. The only concession that they have made is to put a warning in the publishing dialog box telling the user to "Please make sure your profiles repository are [sic] stored in a secure area of your remote server."

I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don't know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities.

Posted on November 21, 2005 at 12:31 PM • 12 Comments

Comments

Roy OwensNovember 21, 2005 1:39 PM

I once discovered on a Sun Unix system that I could unzip a file I had no 'rwx' privileges to, and the upshot was that I owned the unzipped file.

This proved useful for removing obsolete files from shared areas when the owner wasn't available.

Still, it bothers me that I was allowed to do it.

Tim HowlandNovember 21, 2005 2:00 PM

Google doesn't seem to return any hits for "_versioning_repository_/rollbacklog.xml" or just rollbacklog.xml - this suggests one of two things:

1) Nobody anywhere on the internet ever wrote a document named "rollbacklog.xml" that google indexed (an infinite number of monkeys, but still a finite amount of time...)

or

2) Google has been persuaded to block queries for this vulnerability until the manufacturer can fix it....

WoodyNovember 21, 2005 2:18 PM

@Tim

3) NOF9 is using a robots.txt file to ensure that those files don't get added to the searches.

If you knew a search string to locate NOF9-based sites, then you could generate the list of sites, and then ask each site for the above files.

Or...

4) No one actually uses NOF9...

GaryNovember 21, 2005 2:50 PM

I don't think NOF 9 has been out that long, hence hard to find.

This vulnerability seems to be on so many levels - publishing the site versioning repository to the web, but mostly storing the credentials with the repository.... NOF seems like a single-user kind of product, not a distributed authorship product. I can see storing the versions server side (optionally), but storing the saved credentials too? That's beyond "vulnerability" - that's just dunderheaded.

DanNovember 21, 2005 2:58 PM

Yeah, based on a few google searches, there doesn't seem to be any sites running version 9 at all. Too bad, I would've liked to have a go at this.

JoshNovember 21, 2005 9:17 PM

@Bruce

You should be careful about your comment "I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me?".

Judging by the comments above, it seems some people have interpreted your request for a "test" as a request to "crack" a live Internet site. :)

DanNovember 22, 2005 2:01 PM

Well, that's not my intention, anyway. At least not until the point it's obvious that's what it will take to get a proper response from the company that publishes something like that...

ChrisDecember 2, 2005 2:27 AM

Your posting is wrong, the company behind NetObjects did indeed address the issue. Although the feature was targeted at Designers who ought to protect those files anyhow, or at least publish them above root.

An update was released on 16 of November, which is before your post. So whoever was feeding you anonymous news was a little bit out of date.

Juha-Matti LaurioDecember 9, 2005 8:52 PM

Bruce, is this worth of contacting security companies that their advisories see listed NetObject as vulnerable (see Chris's opinion and information)? Three advisory URLs mentioned at my previous comments.

Juha-Matti LaurioFebruary 18, 2006 1:28 PM

It seems that two security companies has updated their advisories.

Secunia list this issue as patched and says
"Solution:
Apply Update #1 and store the files outside a web accessible directory."
FrSIRT has the same solution. SecurityFocus lists no 'Not Vulnerable' product versions yet.
I have informed them with new information today.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..