Author Topic: Custom fields security hole in the Product Form  (Read 3451 times)

balai

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1409
Custom fields security hole in the Product Form
« on: November 24, 2011, 15:47:17 pm »
Hi

There is  a security hole to the cuctom field values storing procedure inside the product form.

Try to write this as value to a custom field
" onclick="alert(25);

Save it and click on the value text field.

It seems that the passed value is not sanitized from any injection.

version
2.0.0-RC-2M

stinga

  • Contributing Developer
  • Full Member
  • *
  • Posts: 872
    • Squangle ltd
Re: Custom fields security hole in the Product Form
« Reply #1 on: November 24, 2011, 17:01:54 pm »
Is this backend or frontend?
If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4336
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Re: Custom fields security hole in the Product Form
« Reply #2 on: November 24, 2011, 17:52:40 pm »
Hi,

this is not unsecured it's only raw data and data's are filtered out with joomla standard filter

try to write it in the editor you have same on database but because it's not an input field then you have no reaction.

but you have
Quote
<p>" onclick="alert(25);</p>
because the editor add it(in case of tinymce)

If this is unsecured then all joomla is unsecured or ? ;)

BUt why not change it ? PLZ vote !

balai

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1409
Re: Custom fields security hole in the Product Form
« Reply #3 on: November 25, 2011, 10:30:06 am »
Quote
If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)
It is backend.
How can you be so sure that in a site with multiple backend users, all of them have good intentions?

@Electrocity
It does not happens in my TinyMce editor at least
It converts every HTML code to HTML entities equivelants

&lt;p&gt;" onclick="alert(25);&lt;/p&gt;
   
//This is what i get in the HTML code


You know what this means?

That everyone who has access to backend can get other users cookies  or redirect them to a malicious site whenever he likes

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10040
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Custom fields security hole in the Product Form
« Reply #4 on: November 25, 2011, 13:18:14 pm »
This is one of the reasons that vm2 is not multivendor yet. We already use often the construction that it is not filtered for admins, but not everywhere.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

stinga

  • Contributing Developer
  • Full Member
  • *
  • Posts: 872
    • Squangle ltd
Re: Custom fields security hole in the Product Form
« Reply #5 on: November 25, 2011, 21:25:19 pm »
If you can't trust your employees then you have a far greater problem, I agree that in the ideal world it would not allow you to that but... heck!
If you want it changed, make the change and submit a patch, devs would love you to help out with all those small annoying items.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10406
  • VirtueMart Version: 3+
Re: Custom fields security hole in the Product Form
« Reply #6 on: November 25, 2011, 21:27:13 pm »
If you can't trust your employees then you have a far greater problem

I agree, BUT

Joomla will still put you on the VE list.

J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

stinga

  • Contributing Developer
  • Full Member
  • *
  • Posts: 872
    • Squangle ltd
Re: Custom fields security hole in the Product Form
« Reply #7 on: November 25, 2011, 21:32:41 pm »
VE list?
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10406
  • VirtueMart Version: 3+
Re: Custom fields security hole in the Product Form
« Reply #8 on: November 25, 2011, 21:35:47 pm »
J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10040
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Custom fields security hole in the Product Form
« Reply #9 on: November 26, 2011, 00:21:01 am »
In fact it is the joomla filter which is not working.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

balai

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1409
Re: Custom fields security hole in the Product Form
« Reply #10 on: November 26, 2011, 12:53:02 pm »
This is supposed to handled by the  JTable::check , which should be overriden (as i see it is) in your JTable.

What is supposed to do, is to check the input for "illegal" code and return true or false accordingly.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10040
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Custom fields security hole in the Product Form
« Reply #11 on: November 26, 2011, 14:46:52 pm »
The problem is not the db, the problem is in the html. We added an extra check.

and our VmTable is really an own world compared to JTable. Almost any method is overwritten.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

balai

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1409
Re: Custom fields security hole in the Product Form
« Reply #12 on: November 26, 2011, 22:11:32 pm »
Quote
The problem is not the db, the problem is in the html.
What you mean the problem is in the HTML ?

Quote
and our VmTable is really an own world compared to JTable. Almost any method is overwritten.
Yes i see that. Good work!
But the check function should check for illegal code too. This is supposed to be it's functionality.
Think that these data may be used by another extension. So they should be sanitized.