Custom fields security hole in the Product Form

[balai]

Hi

There is  a security hole to the cuctom field values storing procedure inside the product form.

Try to write this as value to a custom field
" onclick="alert(25);

Save it and click on the value text field.

It seems that the passed value is not sanitized from any injection.

version
2.0.0-RC-2M

[stinga]

Is this backend or frontend?
If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)

[Studio 42]

Hi,

this is not unsecured it's only raw data and data's are filtered out with joomla standard filter

try to write it in the editor you have same on database but because it's not an input field then you have no reaction.

but you have

<p>" onclick="alert(25);</p>

because the editor add it(in case of tinymce)

If this is unsecured then all joomla is unsecured or ?

BUt why not change it ? PLZ vote !

[balai]

If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)

It is backend.
How can you be so sure that in a site with multiple backend users, all of them have good intentions?

@Electrocity
It does not happens in my TinyMce editor at least
It converts every HTML code to HTML entities equivelants

&lt;p&gt;" onclick="alert(25);&lt;/p&gt;    
//This is what i get in the HTML code


You know what this means?

That everyone who has access to backend can get other users cookies  or redirect them to a malicious site whenever he likes

[Milbo]

This is one of the reasons that vm2 is not multivendor yet. We already use often the construction that it is not filtered for admins, but not everywhere.

[stinga]

If you can't trust your employees then you have a far greater problem, I agree that in the ideal world it would not allow you to that but... heck!
If you want it changed, make the change and submit a patch, devs would love you to help out with all those small annoying items.

[PRO]

If you can't trust your employees then you have a far greater problem

I agree, BUT

Joomla will still put you on the VE list.

[stinga]

VE list?

[PRO]

VE list?

vulnerable extensions

[Milbo]

In fact it is the joomla filter which is not working.

[balai]

This is supposed to handled by the  JTable::check , which should be overriden (as i see it is) in your JTable.

What is supposed to do, is to check the input for "illegal" code and return true or false accordingly.

[Milbo]

The problem is not the db, the problem is in the html. We added an extra check.

and our VmTable is really an own world compared to JTable. Almost any method is overwritten.

[balai]

The problem is not the db, the problem is in the html.

What you mean the problem is in the HTML ?

and our VmTable is really an own world compared to JTable. Almost any method is overwritten.

Yes i see that. Good work!
But the check function should check for illegal code too. This is supposed to be it's functionality.
Think that these data may be used by another extension. So they should be sanitized.