June 17, 2009 - SkyBlueCanvas Security Advisory
A few days ago, it was brought to my attention that SkyBlueCanvas has a few minor security vulnerabilities (thanks, MaXe). Within 24 hours of becoming aware of the vulnerabilities, I issued a patch. However, it appears that the patch that I issued to close the vulnerabilities is causing more problems that it is fixing.
I am advising anyone who updated to v1.1-r246b or v1.1-r246c, to revert back to v1.1-r246 (no "b" or "c").
We have categorized the vulnerabilities as minor for two reasons. First, in order to exploit the vulnerabilities, an attacker would have to authenticate in the admin control panel. Second, the damage that the attacker could do appears to be only cosmetic - meaning that they cannot write to the the file system or deleted files.
With regards to gaining access to the secure admin control panel - if this were to happen, a simple HTML or JavaScript injection attack would have little value since the admin control panel allows site admins to upload executable PHP files to begin with.
In the interest of full disclosure, the vulnerability is related to the $_GET array and the 'mgroup' and 'mgr' variables. These variables can be exploited to inject arbitrary JavaScript and HTML. However, these are useless vulnerabilities because the Admin control panel allows users to upload executable PHP code anyway so the JavaScript and HTML injection vulnerability is not nearly as useful as the built-in features. We will patch this vulnerability in the upcoming v1.2 release. For now, we will not fix the vulnerability.
I offer my sincere apologies to anyone who updated their installation of SkyBlueCanvas in response to my first advisory and has experienced any difficulty; and to those who must now revert back. I was trying to respond quickly to a security matter and in my haste caused more harm than good. Rest assured that in the future I will take a more measured approach to such matters.
Thank You & Sincerely,
Scott
