Skip to content

5.5 build 2172 - CRITICAL security vulnerability fix
Compare
Choose a tag to compare
@AuroraLS3 AuroraLS3 released this 15 Jan 08:43
· 719 commits to master since this release
5.5.2172
9e11d9f

5.5 build 2172 - CRITICAL security vulnerability fix

This build contains a fix to a CRITICAL SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.

Yesterday (2023-01-14): Finding a minor Path Traversal security vulnerability lead to a throughout process of labeling all untrusted data in the codebase, and during that process a critical SQL Injection vulnerability was also discovered. When exploited successfully SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.

It is recommended to update as soon as possible, even though exploits for the vulnerability may not yet exist in the wild.

This is a first time a this high priority vulnerability affects Plan, so I'm a bit overwhelmed, but I'm hoping to address this vulnerability professionally by releasing a fix in a timely manner, and keeping exact details undisclosed for now to give users time to update.

The fix has been backported to build 1722 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1

Change Log

Fixed CRITICAL SQL Injection vulnerability

Details
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163

if login is enabled: Malicious users with permission level 1 (plan.player.other) or 0 (plan.server) can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.

Mitigation if you are unable to update

  1. Enable https and login so that less users have access to the vulnerable endpoint.
    https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-%28HTTPS%29-Set-Up
  2. Enable IP Whitelist so that less users have access to the vulnerable endpoint.
Webserver:
  Security:
    IP_whitelist:
      Enabled: true
  1. if unable to update or secure the server, disable Plan Webserver. This option is good if you want to delay updating to a more convenient time.
Webserver:
  Disable_webserver: true

Other fixed security vulnerabilities

  • [Minor] Fixed Path Traversal vulnerability where attacker could gain read access to .css, .js, .png, .woff, .woff2, .eot, .tff files anywhere on the host machine if Customized_files.Enable_web_dev_mode setting was set as true
  • [Minor] Fixed XSS (Cross site scripting) vulnerability in Whitelist deny 403 -page when attacker routes traffic to Plan through a reverse-proxy with malicious X-Forwarded-For header
  • Removed untrusted data from exception messages used within the plugin
    • [Minor] Prevented potential XSS vulnerabilities in Not Found page when untrusted data could enter the error message
    • [Minor] Prevented potential XSS vulnerabilities in Internal Server Error page when untrusted data could enter the error message
  • [Minor] Prevented malicious Hello-packet from breaking Session serialization to CSV on server disable if join address had a ; character in it

Locale

  • Updated Finnish (FI) Locale
Assets 4
Loading