Security Note 06

05/27/2009

Security issue details

There is a serious security problem found in aMember Pro. It affects aMember Pro versions up to 3.1.7. A hacker is able to insert Javascript into first and last name fields, then when you are viewing his account in aMember CP, a malicious Javascript could be executed, and admin session can be stolen.
The problem described here: http://www.securityfocus.com/archive/1/503776/30/0/threaded

Methods of protection

Method 1. Closing the hole

  • Please do not login to amember cp until you follow all these instructions.
  • Using your favorite FTP client, edit files amember/signup.php and amember/aff_signup.php (the second may be not available in your version of aMember, it is OK, then you do not need to edit it)
  • In both files, find lines
    if (!strlen($vars['name_f'])){
        $error[] = _SIGNUP_PLEASE_ENTER_FNAME;
    }
    if (!strlen($vars['name_l'])){
        $error[] = _SIGNUP_PLEASE_ENTER_LNAME;
    }

and replace it to

    if (!strlen($vars['name_f'])){
        $error[] = _SIGNUP_PLEASE_ENTER_FNAME;
    }
    if (preg_match('/[<>"]/', $vars['name_f'])){
        $error[] = _SIGNUP_PLEASE_ENTER_FNAME;
    }
    if (!strlen($vars['name_l'])){
        $error[] = _SIGNUP_PLEASE_ENTER_LNAME;
    }
    if (preg_match('/[<>"]/', $vars['name_l'])){
        $error[] = _SIGNUP_PLEASE_ENTER_LNAME;
    }
  • Edit file amember/profile.php using your FTP client.
  • In the file please find the following lines:
        if (($k == 'name_f') && !strlen($v)){
            $error[] = _MEMBER_PROFILE_ERROR4;
            $user['name_f'] = $v;
            continue;
        }
        if (($k == 'name_l') && !strlen($v)){
            $error[] = _MEMBER_PROFILE_ERROR5;
            $user['name_l'] = $v;
            continue;
        }

and replace it to the following lines:

        if (($k == 'name_f') && !strlen($v)){
            $error[] = _MEMBER_PROFILE_ERROR4;
            $user['name_f'] = $v;
            continue;
        }
        if (($k == 'name_l') && !strlen($v)){
            $error[] = _MEMBER_PROFILE_ERROR5;
            $user['name_l'] = $v;
            continue;
        }
        if (($k == 'name_f') && preg_match('/[<>"]/', $v)){
            $error[] = _MEMBER_PROFILE_ERROR4;
            $user['name_f'] = $v;
            continue;
        }
        if (($k == 'name_l') && preg_match('/[<>"]/', $v)){
            $error[] = _MEMBER_PROFILE_ERROR5;
            $user['name_l'] = $v;
            continue;
        }
  • To stop most possible XSS attacks in future, please edit file amember/admin/login.inc.php
  • Immediately after opending <?php in this file, please insert the following code:
$badWords = array('script', 'onabort', 'onactivate',
    'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy',
    'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste',
    'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce',
    'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect',
    'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete',
    'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter',
    'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate',
    'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown',
    'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown',
    'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup',
    'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange',
    'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit',
    'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart',
    'onstart', 'onstop', 'onsubmit', 'onunload');
foreach ($_GET as $k => $v)
    if (@preg_match('/\b'.join('|', $badWords).'\b/', $v))
       die('Bad word detected in GET parameter, access deined');
  • Now we need to ensure there is no records in your database with injected Javascript. Please download file amember_security_fix.zip. Unpack it and upload file fix.php to amember/admin/ folder. Then open http://www.yoursite.com/amember/admin/fix.php and follow instuctions. Most possible you will see screen stating “No injected records found.” – that is OK, nobody tried to hack your website, so there is nothing for you to worry about.
  • Or alternatively, you will see list of records considered “strange” that can be deleted or fixed. We recommend to choose “fix” if that is not obivious that record was created for hacking reasons. If injected records found, please “fix” them using the script and we would appreciate if you copy/paste information from the screen to support@cgi-central.net.
  • Now you can continue to use aMember CP, it is now safe again. But in any case, we recommend to upgrade to most recent and stable aMember Pro 3.1.8.

Method 2. Upgrade to latest version of amember

  • We have released aMember Pro 3.1.8 with all these problems fixed. Unfortunately, we will be unable to process upgrades for all customers in short period of time, so if you have no experience with aMember upgrade and need support team help with upgrade, please contact us on the next week, and right now just follow METHOD 1 described above. If there are problems with applying METHOD 1, feel free to contact us at https://www.amember.com/support/