v2.1 was released today. This is a security release which fixes several low-risk vulnerabilities, based on a report at SecurityFocus. It is advised to upgrade to this version as soon as possible. The upgrade is very simple, as most changes are related to the admin panel.


On June 20th, a report was submitted to SecurityFocus detailing several exploits with Commentics v2.0. The exploits affect all versions of Commentics. All of the exploits listed require either an administrator to knowingly carry out the attack (unlikely) or an administrator to unknowingly carry out the attack by CSRF (more likely). If you don't know, CSRF (Cross-site request forgery) is basically when the hacker creates a link or creates a form on their own website which submits data to your admin panel. The hacker cannot click the link or submit the form because they would encounter the login system, so they need you to submit it for them. They will disguise the link or form to look genuine so they can trick you into submitting it. If you submit it, you will be taken to your admin panel where the attack will take place.

There are a few obstacles for the hacker. Firstly, they need to know the location of your admin folder. All versions of Commentics have required the administrator to change the location of their admin folder. Secondly, you would have to be logged in to your admin panel when you submit their link/form, as otherwise you will encounter the login system and the attack would not work.

What attacks are possible?

1. The person who created the security report talks about using the database backup deletion feature to traverse outside of the backup folder and delete other files from the website. This is fixed in v2.1 in several ways. Firstly, the URL parameter for the backup file is protected by PHP's basename function. This removes any periods and slashes so that only the clean trailing part is remaining. To make sure, this trailing part is then checked to make sure that it is only a mixture of letters/numbers, and that it is exactly 20 characters. Also, the file extension is added by the code itself and not included in the parameter. Lastly, it is protected by a CSRF key which is discussed later.

2. There were cross-site scripting (XSS) vulnerabilities on a few of the admin panel pages, mainly the edit_* pages where the ID parameter wasn't validated thoroughly. This may have allowed someone to execute arbitrary JavaScript. Note that again this exploit requires the unlikely CSRF type attack. This is fixed in v2.1. The ID parameter is checked to make sure that it is a number, while it is also checked to make sure that the record, whether it be a comment, page, ban, subscriber or admin, actually exists.

3/4. The previous two attacks have been URL-based. The attacks for 3 and 4 are form-based. Using the CSRF method, it may have been possible for the hacker to get the administrator to submit any of the forms in the admin panel. A common form that a hacker would want to target is the one on the Settings -> Administrator page, which is given as an example in the security report, because this would enable the hacker to change your login details and gain access to the admin panel. This is fixed in v2.1 with general CSRF protection discussed next.

Commentics v2.1 implements the general CSRF prevention methods recommended here. The main way of protection is the 'Synchronizer Token Pattern'. This adds a hidden input field to every form in the admin panel and the input field contains a token from the administrator's session. The hacker won't know this token so they won't be able to add it to their form on their own website. When the forms are submitted, Commentics checks that this token is submitted and it checks that it is correct. The same applies with the URL on some pages except the token is submitted as a parameter. A second protection has also been added where the admin panel checks to make sure that you were referred from within the admin panel. If you arrive at an admin panel page from another website then the script will inform you of this and ask that you access the page using the admin panel's menu links. For this reason, the 'referrer check' is enabled during the upgrade process in case you have disabled it in the past.

In general, make sure that you only allow trusted administrators to log in to your admin panel, and be careful about what websites you visit while logged into the admin panel. Also, don't share the location of your admin panel, and don't share any of the admin panel URLs that contain the 'key' parameter.