http://mivo.truxoft.com
MIVO!
miva beyond limits

MIVA^®  SECURITY:  Miva Security Updates Log

http://www.miva.com/docs/empresa/RelNote394.pdf
1. 08/25/2003  Miva Empresa v4.10
2. ??/??/2003  Miva Empresa v4.09
3. 05/??/2002  Commerce Libraries v3.94
4. 08/13/2001  OpenUI (OUI) updates v2.70, v3.20, v4.10
5. 08/07/2001  Miva Empresa / Empresa NT / Mia v3.92
6. 03/??/2001  Miva Empresa v3.78
7. 12/08/2001  Miva Empresa v3.77
8. 13/11/2000  Miva Empresa / Empresa NT / Mia v3.75
9. 07/11/2000  Miva Empresa / Empresa NT / Mia v3.71
10. 03/14/2000  Miva Templates v3.64b
11. ??/??/2000  Miva Empresa NT / Mia v3.63
12. 02/10/2000  Miva Empresa v3.xx configuration
13. ??/??/1999  Miva Empresa / Empresa NT / Mia v3.55
14. ??/??/199?  Miva Empresa / Empresa NT / Mia v3.50
15. ??/??/199?  Miva Empresa / Empresa NT / Mia v3.2
16. ??/??/199?  Miva engines prior 3.xx
17. Useful links
18. User Comments

This list is definitely incomplete, based on Miva Co's public announcements and the Miva engines changelogs or release notes only. There were also other unannounced security fixes in both, Miva engines and Miva Script aplications. Therefore, be sure to update to the latest versions or ask for it your hosting provider. All security updates are free of any charge and if your host claims the opposite or does not want to update for any other reason, do not hesitate to move to another one as soon as possible.

top

credits: Ivo Truxa

Release Notes v4.10
Release Notes v4.09

There is no important change in Empresa v4.10 that is needed on Windows platform. V4.10 was released just to finally plug a very old but very serious security hole on Unix machines - at previous versions it is impossible to deny long cgi-bin URLs, especially when you use the 4x (env.so) configuration type. Allowing the long calls is dangerous on any systems with some areas or files with restricted access (passwords, IP's,...). The Apache based protection may be then very easily bypassed. This is Unix-only problem; although you should hurry to update any Unix machine, you can ignore it on Windows machines.

When upgrading to v4.10, I did a stupid mistake - although I always overwrite all libraries with the new ones too, I quite forgot that the configuration database (by default libmivaconfig.so) is not in the update package and MUST be created by renaming the env.so (if not assigned directly through a configuration directive). And since in this case the security fix was done in env.so only (absolutely no change in the mivavm binary, except the version number), actually only this single file is important. Because it is not mentioned in the release notes, I know that also other experienced users made the same mistake and their system remained vulnerable even after the update.

The simple replacing of the configuration library (libmivaconfig.so/env.so) is not sufficient for plugging the security hole. You have to add the following configuration directive to httpd.conf (or through other means to the environment variables):

SetEnv MvCONFIG_FLAGS_REDIRECTONLY yes
SetEnv MvCONFIG_VALIDEXTENSIONS mvc

Do not ask me why it is not the default behaviour. I really do not understand why, but unfortunately it is indeed not.

The same security flaw was fixed in the 3x configuration mode (using the 3x.so library) already in the previous version. The same about replacing the libmivaconfig.so is valid in this case too. You must then add the following directives to mivavm.conf:

redirectonly=yes
validextensions=mv

Always verify if you can no more access miva in the cgi-bin directory and documents through it.

For an unknown reason, there was no announcement about the security fix, the update instructions for correct fixing of the hole are completely missing in the release notes, and nowhere on Miva' website or documents is mentioned how important the blocking of the cgi-bin calls is. It means we can look forward to continue seeing servers widely open for exploits for many forthcoming years.

I was not used to, but unfortunately I have to tell that in this case I was very disappointed by the approach of Miva Co to this security issue that took almost one year to fix and still the instructions for a proper installation are practically non-existing.

top

Release Notes v3.94:

• Fixed a security bug in the AuthorizeNet commerce library.

In relation to the current changes at Authorize.net, old commerce libraries started to return error messages containing potentially compromising data like user account numbers and Authorize.net account passwords. Please be sure to update the library if you use Authorize.net as a payment method!

top

credits: Darren Ehlers, Levi Corcoran, Ivo Truxa   (full text)

Darren Ehlers, the author of the OpenUI and the CEO of Starbase21 is the first third-party Miva developer (known to me) who publicly released a security alert and updated all major versions of OUI after a security hole was discovered. On 13th August 2001, after I reported a security hole in one of SB21 custom modules, Darren reviewed also the OUI and together with Levi fixed a serious security issue. I hope that it is a good sign and that SB21 brings more security updates in near future. I also hope that other Miva Script and Miva Merchant developers find courage to publish security alerts and offer free updates.

Read the original security alert or visit the websites of OpenUI or Starbase21 for details and hints for updates.

top

credits: Ivo Truxa

A very serious security flaw was discovered and reported to the Miva Co. on 4th August 2001. Due to this bug, almost any script, although otherwise secure under previous versions of Miva engines, becomes vulnerable and allows deep exploits of both Miva Data and Miva Script directories. If you are running a 3.9xxx version of a Miva engine, be sure to update immediately!

After 2 years of demands, the 3.92 version finally contains also other security measures as requested at previous security issues:

• Added parenthesis to the list of characters encoded by the encodeentities() builtin function and macro :entities encoding.
• Added a new configuration directive, defaultmacroencoding, which allows the system administrator to specify the default encoding used for macros which do not explicitly specify an encoding method.

Full text of the v3.92 Release Notes

From the  v3.92 Miva security announcements to the Empresa owners:

Miva has recently learned of a security risk in Miva Empresa 3.91.
We believe all Miva Script applications running on Miva Empresa
v3.91 are vulnerable to this security risk.

To remedy the situation, you must download and install the new
Miva Empresa 3.92 engine immediately.  As a Miva Empresa licensee
you should make this your top priority. Please adhere to the
following steps to ensure proper remedy of this security risk ...

From the  v3.92 Miva security announcements to the Merchant owners:

... The security problem with the 3.91 Miva engine creates 
a security hole in Miva Merchant.

top

credits: ???

From the  v3.78 Miva Empresa Realease Note:

Fixed a bug in the handling of the authuserdir configuration directive that (in
some configurations) had authorized all non-root users with their home
directories as the Miva data directory.

top

credits: Jun Moriya

Jun was so kind to tell me about a variation of a security glitch I reported back in Feb 2000. The difference is that in the way Jun discovered, the configuration parameters taking care about this security issue, may be bypassed. Miva Co. brought an update promptly.

From the  v3.77 Miva Empresa Realease Note:

o  The "redirectonly" configuration variable may no longer be overridden 
   by using a forward slash instead of a question mark in a CGI-style URL.

top

In the consequence with previously reported bugs in the security of macros, Miva realeases another version with some related, but also unrelated security fixes.

From the  v3.75 Miva Empresa Realease Note:

• The ability to change the default user in Windows NT ® . This feature fixes the
  problem where unauthorized users could gain access to Miva scripts through
  FrontPage ® extensions.
...
• A new configuration file option, authuserdir. 
...
• <MvHIDE> encrypts the text properly. It encodes the contents in a hidden
  variable. This allows you to use <MvHIDE> with a variable that contains
  quotation marks, and other characters.
...
• On Windows NT, the Miva Engine no longer allows scripts if the user did not
  specify a data directory.
...
• If workdir is defined, explicitly denied users will not be able to gain access to
  Miva scripts.

top

credits: Ivo Truxa   (full text)

From the  v3.71 Miva Empresa Realease Note:

o increase your site security, macro execution has modified to filter external
   commands that could be harmful to the system.
...
A new attribute called DEFAULTMACROENCODING has been added

The first change (the change in processing macros) improved the security of all recent Miva Scripts, including the Miva Merchant. The second change (the new directive  DEFAULTMACROENCODING) gave to the developer a very important tool for writing secure scripts easier. Unfortunately, Miva Co. decided not to make all recommended changes, what brought several other security issues in future versions.

Miva Co's Security Alert: Miva Empresa
Miva Co's Security Alert: Miva Merchant

top

credits: Ivo Truxa

From the  v3.64 Miva Empresa ChangeLog:

1. Removed template applications, and replaced them with new programming
   examples.

2. Removed the majority of the existing sample HTML content, and replaced
   it with a new, simplified index.html.

Since years, Miva Co. delivered script templates without any security measures, teached so developers to carefree programming habits and set any server or local PC having the templates or their derivates installed, into a serious security risk. This security issue is described in the following articles
Miva Mia security risks
Miva Templates #1 - Form Macro Attack
Miva Templates #2 - URL Macro Attack
Miva Templates #3 - MvCALL DoS Attack

top

credits: ???

Couple of serious security flaws of Windows based engines vere fixed without a public announcement (except of the changelog). I learned about it when discovered the Mia changelog at 3.64 update. The holes are especially dangerous in combination with the presence of the Miva Templates (see above).

From the  v3.63 Miva Empresa ChangeLog:

/..../ no longer allows scripts outside the configured script directory
to be run.

Special windows filenames (AUX, CON, PRN, etc...) are no longer allowed.

Trailing .'s (i.e. test.mv..) no longer cause the source code of a script
to be displayed.

top

credits: Ivo Truxa

This security issue is described in art0001.htm. It is also realted to a later issue solved in v3.77 - see above

At that time Miva Co. solved the reported problem without an update of the engine, with two Tech Notes: Tech Note #1, Tech Note #2 and a change in the default parameter file.

top

credits: ???

I did not experiment with the v3.55 and therefore am unsure about the relation of the bugs fixed in this release to the security, but it sounds that it could be the case:

v3.55 Miva Empresa ChangeLog

top

credits: Miva Co.

Major changes in the step from 3.2x to 3.50 brought some new security configuration parameters, but in general seriously degradeted the security of the Miva Script. The implementation of file system functions and the file upload functionality is an important event in the history of Miva scripts, but in the same time it allows an intruder much more serious attacks than ever before. Also dropping the verification of variable names against forbidden character may put some scripts in a serious risk.

From the  v3.50 Miva Empresa ChangeLog

6. Added support for HTTP file upload.

7. A new configuration option, validextensions, has been added.

	validextensions=.mv,.hts
	
   When defined, Miva will only execute scripts with one
   of the extensions listed.
...
10. Variable names posted from an HTML FORM or passed on the URL
    command line are no longer checked for invalid characters.  If
    a variable name contains a character that may not be used in an
    expression (i.e. -, +, *, %, etc..) it can be escaped by prepending
    a backslash.

11. Added builtin functions to manipulate files in the script directory.
    The following functions are functional equivalents the "f" functions,
    except that they manipulate files in the script directory:
...

top

credits: Miva Co.

Major upgrade from 1.2 to 3.2 brough many changes, that had influence on the security of Miva scripts (in both ways - positive and negative).

From the  v3.2 Miva Empresa / Miva Mia ChangeLog

1. redirectonly configuration variable
2. serveruserid configuration variable
3. GET support
...
8. encodeentities/decodeentities
9. makesessionid/Cookies
...
11. Macro Encoding

top

There were too many changes and security issues in the early versions of HTScript and Miva to list them here. Some of them may be found in the  v1.12 Miva Empresa / Miva Mia ChangeLog

top

top

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2010