Security issue. Anonymous user without user-name

Author Message

Normando Hall

Wednesday 26 September 2007 3:07:32 pm

I have a site using ez 3.9.3 with ezwebin.
Every day I have an email saying a user is registered.

In the email, account information say:

User Name:

Email:

No say nothing about username and email. When I go to edit that account, I see:

User ID: 1043
User name:
Password:
Retype password:
Email:

But in signature a spam html:

<a href="http://www.conciergeconnection.com/new/SMH/1/?page=250">cartier fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=251">fountain pen case</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=252">fountain guide history kraker,krakers pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=253">dupont fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=254">fountain pen for sale</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=255">delta fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=256">fountain pen of the world</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=257">parker 51 fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=258">waterman phileas fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=259">a picture of a fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=260">conway stewart fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=261">fountain pen kit</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=262">cleaning fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=263">montegrappa fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=264">omas fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=265">bexley fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=266">conklin fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=267">fountain pen limited edition</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=268">who invented the fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=269">how to use a fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=270">collectible fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=271">book fountain id mackinnon,mckinnon pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=272">inventor of fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=273">waterford fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=274">dunhill fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=275">america fountain kingdom pen state united united</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=276">fountain pen holder</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=277">retractable fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=278">fountain pen the complete guide to repair restoration</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=279">fountain pen german</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=280">stipula fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=281">fountain pen nib</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=282">fountain pen collector</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=283">how to write with a fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=284">fountain fountain past past pen pen present present</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=285">fountain pen converter</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=286">flexible nib fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=287">parker sonnet fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=288">fountain pen guelph</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=289">libelle fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=290">cross solo fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=291">silver fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=292">forum fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=293">fountain pen watermen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=294">fountain paul pen smith</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=295">fountain pen retail</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=296">fountain pen show</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=297">wooden fountain pen</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=298">fountain pen collecting</a> 
<a href="http://www.conciergeconnection.com/new/SMH/1/?page=299">mont blanc pen</a>

and in alt. image text:
the word "MESSAGE"

How it is possible? I try to signup without username or email, and I can't.

Thanks in advanced for any help.

Normando - Argentina

Normando Hall
Rosario - Argentina

Paul Wilson

Wednesday 26 September 2007 7:52:57 pm

Hi Normando,

I am having a similar problem. I have disabled user registration - or at least I thought I had, but I am still getting these blank user registrations turning up.

I don't seem to get the spam element. I looked up the IP address of the user who had created the account, and it seems that that IP is known for forum spamming.

I am guessing that the captcha extension may be useful to stop this happening, but the fact that I'm getting registrations despite taking steps to disable makes me think there may be some system exploit being used. I'll check the steps I've taken to see if I've missed something obvious, or whether there are other useful clues.

- Paul

Paul Wilson

Wednesday 26 September 2007 10:04:23 pm

Checked more. Yes I am getting the spam signature.

Two of my EZ sites affected, versions EZ 3.9.0 and EZ 3.9.2.

I'd aimed to avoid anonymous user registration by commenting out the following lines in settings/site.ini:

PolicyOmitList[]
# PolicyOmitList[]=user/register

AnonymousAccessList[]
# AnonymousAccessList[]=user/register

It does not prevent this problem, suggesting there's some other means being used to create these rubbish accounts.

At the moment, the symptoms appear to be:
1) Validation on new user accounts bypassed (blank username and password) on newly created user.
2) PolicyOmit/AnonymousAccess settings ignored.

Anyone else experienced this and/or got a method to resolve?

Paul Wilson

Wednesday 26 September 2007 10:13:30 pm

Not sure if it helps, but my error.log file shows the following entries, corresponding with the time and IP for the account being created:

[ Sep 27 2007 14:30:23 ] [84.19.176.137] eZModule:
Undefined view: User management::index.php
[ Sep 27 2007 14:30:23 ] [84.19.176.137] error/view.php:
Error ocurred using URI: /index.php/eng/user/index.php/eng/user/register

Normando Hall

Wednesday 26 September 2007 11:26:35 pm

Hi Paul.
Thank you for your replies.

I analize the log files, and I remember I have deleted all cache and log files before!!!

Well, I wait for the new spam register and comment here my log files. Every time I have deleted the spam user, within 24 hr register again. But if I not deleted, I think can not register twice.

I have searched in Secunia.com about this issue, but not found exactly this issue.

http://secunia.com/search/?search=ez+publish

Normando

Normando Hall
Rosario - Argentina

Paul Wilson

Wednesday 26 September 2007 11:46:10 pm

What version of EZ Publish are you using Normando?

Looking at the news about the EZ 3.9.3 release security fixes makes me think upgrading may help address the problem (see http://ez.no/developer/news/ez_publish_security_fixes_3_9_3_and_3_8_9).

This talks of a problem with "Insufficient permission checking on views without a policy function defined", which sounds like a candidate cause.

Hans Melis

Wednesday 26 September 2007 11:50:31 pm

Hi all

To disable access to modules and/or views, you can use the [SiteAccessRules] block in site.ini. We have the following settings for the block:

[SiteAccessRules]
Rules[]=Access;enable
Rules[]=ModuleAll;true
Rules[]=Access;disable
Rules[]=Module;setup
Rules[]=Module;user/register

That enables access to all modules, then disables access to the 'setup' module and to the view 'register' in the 'user' module. You can put this in the global override of site.ini or you can do it per siteaccess if you wish to be more selective.

Hans
http://blog.hansmelis.be

Normando Hall

Thursday 27 September 2007 12:03:56 am

Hi Paul.
Yes, you are right, I have a mistake, my version is 3.9.2 and not 3.9.3.

I have to upgrade now to 3.9.3 urgent!!!

Thank you very much

Normando

Normando Hall
Rosario - Argentina

Łukasz Serwatka

Thursday 27 September 2007 12:38:04 am

You can subscribe to security advisories and receive information about security related issues.

http://ez.no/developer/security/security_advisories
http://ez.no/rss/feed/sa

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog

Normando Hall

Thursday 27 September 2007 1:33:05 am

Thanks Łukasz

I have added to my live bookmarks :)

Normando Hall
Rosario - Argentina

Normando Hall

Friday 28 September 2007 6:56:58 am

Well, believe or not believe.

I have upgrade to 3.9.3 and the spammer again register in my site!

The only thing I can't do it, is run the upgrade script, specially "Changes to roles and policies", because I not have php CLI.
Is there a way to make these changes manually? I read the script, but I'm not a PHP expert.

Thanks
Normando

Normando Hall
Rosario - Argentina

Kristof Coomans

Friday 28 September 2007 7:28:41 am

There's also another bug:

http://issues.ez.no/10655

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Jeroen Sangers

Sunday 28 October 2007 10:22:51 am

I have the same problem on a new eZ Publish 3.10 site

Andy Caiger

Sunday 30 November 2008 6:53:09 pm

Does anyone have this problem (blank rows in the ezuser table) on eZ Publish 4.0.1? It looks like we do.

EAB - Integrated Internet Success
Offices in England, France & China.
http://www.eab.co.uk http://www.eab-china.com http://www.eab-france.com

Kristof Coomans

Sunday 30 November 2008 11:52:32 pm

Hi

The issue is indeed still present in eZ Publish 4.0.1. Follow the comments at http://issues.ez.no/10655 for more information.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Piotrek Karaś

Saturday 06 December 2008 11:50:56 pm

This is not user or eZ general problem, this is a datatype problem. A solution may be adding to user class a CAPTCHA-like attribute based on a datatype that is aware of the presentation layer attribute-omitting problem. For example:
http://ez.no/developer/contribs/applications/ez_human_captcha

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.