Nette security bug CVE-2020-15227

A security bug has been discovered in the popular PHP framework Nette for web applications. How to secure your application or server? In this article, you will find out what are the different options for fixing or additional server security.

Read the official statement of the discovered security flaw in the article First vulnerability discovered in Nette, update! by the author of the Nette framework. The best solution, and one that is also very easy to do, is to update the version of the Nette framework and the security problem will disappear. The change that the update comes with does not affect the functionality, so it is a really simple and safe task.

Security

How is this security hole dangerous? Anyone who knows HTML, JavaScript or can script in BASH, can perform an XSS injection or read the source files, including configuration and database access, and thus download all the data.

Nette version control

If you are running multiple applications you may also want to bulk check that you have a version of Nette installed that contains the patch. The bug is in a package called nette/application. For a list of currently installed packages, including version information, see composer.loc So you can use the following command to get a listing of the versions of all installed nette/application packages:

    grep -r '"name": "nette/application"' */composer.lock -A1

If you are using Nette version 3 you should have v3.0.6 installed.

Checking logs

Unix programs log what happens. So does the web sever. The logs are located in the /var/log/apache2 directory if you are using web Apache server on debian-like distributions, in the /var/log/httpd directory in RPM base distributions. IF you use web server Nginx, the logs are in a directory in /var/log/nginx.

The following command:

    grep -r callback /var/log/apache2

to get the log entries that test whether the web application is vulnerable.

From what I've seen of the logs, the bots are testing different sites, while they can guess from the HTTP response if the web application is using the Nette framework.

Fix bug

If you don't use composer to update packages or don't want to download the archive with Nette, there are other ways to bug to fix it.

Composer

If you use composer, which you should! To update the libraries, use the command:

    composer update

Bug fix script

You can use a script that uses Unix utilities to fix source code bash script to fix Nette. Or a PHP script that also fixes Nette. The repair process can be much faster there. But beware that if you make a change, you won't run the original version of the library that fixes doesn't fix.

Disabling URLs

To perform an attack, you need to specify a specific URL. Both Apache and Nginx web servers allow you to apply rules to the URL. So it is possible to create a rule on that specific URL that will block the URL directly at the web-server level.

Enhancing security

You can also increase security in general by reducing the allowed features on the webserver. You can modify the PHP configuration, which is in the php.ini file. Just add the following line:

    disable_functions=exec,passthru,shell_exec,system,proc_open,popen

And at least you will limit some types of attacks. But at the same time, it may limit some applications that need to use them.

Fun

For example, web hosting wedos dynamically blocks completely HTTP/HTTPS web traffic for a certain house just about ports 80 and 443, and thus cuts the visitor off from all the sites it hosts, and therefore other customers, even though they may have a site on a different technology or patched. They also cut off access to their main corporate site. And since they probably block it by IP, they make the sites at their site inaccessible to all people who are NAT'd for the same IP.

News

New information regarding cve-2020-15227 can be found on the Nette forums.