[DRHarrison]

We just had our annual Security penetration test, and OpenCATS was flagged due to the older versions of PHP, Apache, and OpenSSL from the XAMPP 5.6.28-1-VC11-installer we used with OpenCATS. Those older versions have vulnerabilities that were flagged.

Our OpenCATS install version 0.9.4-3 and is running on Windows 10

Is there a newer version of XAMPP that contains newer versions of PHP, Apache, and OpenSSL that is
compatible with OpenCATS?

Thanks!

[RussH]

Hi there,

yes, the version that should be released as prod shortly is php 7.2 compatible.

https://github.com/opencats/OpenCATS/re ... ag/0.9.5-3

Note that you should migrate carefully, ideally test migrate and do not do it on your prod system in the first instance. This is not PHP 7.4 compatible, those changes will be rolled into future releases.

[DRHarrison]

Thanks Russ.

Any idea when the new release will be available for production?

Noted on the 7.2 version.

I will make sure to migrate in test first.

[RussH]

it's dependant on me getting my lazy/busy arse into gear and pushing the release. shouldn't be any code changes in there, I just need to merge Develop to Master, then release.

[DRHarrison]

Russ, any updates on this?
Thanks!

[DRHarrison]

Checking again in 2021. Any updates on releasing the version that fixes the security issues?
Thanks,
Dennis

[RussH]

HI,

the PHP7.2 compatible version is released - it's at github.com/opencats/opencats/releases. As with all significant upgrades.. backup, install carefully in test, then migrate prod only when you're happy.

There are two open vulnerabilities;
1. malicious uploads (via the career portal, if you have it enabled). You need to ensure you have a sufficiently strong htaccess configured to prevent script execution in the upload directory. I'll post some guidance shortly.

2. an authenticated user can exploit some of the forms at the backend (in largely the same way). This is a lower severity as the user needs to already have a backend logon to opencats - however there is a patch that'll be released to mitigate this.

[DRHarrison]

Thanks Russ!

[RussH]

Okay, so this is a wiki entry for restricting file upload to certain filetypes only. I fully expect it'll need some clarification so feel free to contribute edits.. but basically it restricts directory listing and only permits particular filetypes.

https://github.com/opencats/OpenCATS/wi ... .htaccess)

these restrictions for the upload directory COULD be added to the single htaccess you (should) have in your webroot but to prevent a .htaccess file being uploaded to your upload directory I like to add this in separately to all the folders under the upload subdirectory, owned by root (so it can't be overwritten by a file from the apache user).. just in case someone manages to upload htaccess.txt as their CV/resume and then manages to rename it to .htaccess.

At the moment it restricts file uploads to (pdf, rtf, odf, doc, docx, txt, wpd). If you want images to be uploaded (e.g. photos for proof of ID) then this will have to be amended.

Note you will have to change syntax if you're running apache 2.2 or 2.4.. and of course you need to create your own if you're on nginx.

Last but not least - haven't tested this yet. WIll do though!!