News:

Looking for documentation? Take a look on our wiki

Main Menu

Custom fields security hole in the Product Form

Started by balai, November 24, 2011, 15:47:17 PM

Previous topic - Next topic

balai

Hi

There is  a security hole to the cuctom field values storing procedure inside the product form.

Try to write this as value to a custom field
" onclick="alert(25);

Save it and click on the value text field.

It seems that the passed value is not sanitized from any injection.

version
2.0.0-RC-2M

stinga

Is this backend or frontend?
If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

Studio 42

Hi,

this is not unsecured it's only raw data and data's are filtered out with joomla standard filter

try to write it in the editor you have same on database but because it's not an input field then you have no reaction.

but you have
Quote<p>" onclick="alert(25);</p>
because the editor add it(in case of tinymce)

If this is unsecured then all joomla is unsecured or ? ;)

BUt why not change it ? PLZ vote !

balai

#3
QuoteIf backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)
It is backend.
How can you be so sure that in a site with multiple backend users, all of them have good intentions?

@Electrocity
It does not happens in my TinyMce editor at least
It converts every HTML code to HTML entities equivelants

&lt;p&gt;" onclick="alert(25);&lt;/p&gt;
   
//This is what i get in the HTML code


You know what this means?

That everyone who has access to backend can get other users cookies  or redirect them to a malicious site whenever he likes

Milbo

This is one of the reasons that vm2 is not multivendor yet. We already use often the construction that it is not filtered for admins, but not everywhere.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

stinga

If you can't trust your employees then you have a far greater problem, I agree that in the ideal world it would not allow you to that but... heck!
If you want it changed, make the change and submit a patch, devs would love you to help out with all those small annoying items.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

PRO

Quote from: stinga on November 25, 2011, 21:25:19 PM
If you can't trust your employees then you have a far greater problem

I agree, BUT

Joomla will still put you on the VE list.


stinga

Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4


Milbo

In fact it is the joomla filter which is not working.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

balai

#10
This is supposed to handled by the  JTable::check , which should be overriden (as i see it is) in your JTable.

What is supposed to do, is to check the input for "illegal" code and return true or false accordingly.

Milbo

The problem is not the db, the problem is in the html. We added an extra check.

and our VmTable is really an own world compared to JTable. Almost any method is overwritten.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

balai

#12
QuoteThe problem is not the db, the problem is in the html.
What you mean the problem is in the HTML ?

Quoteand our VmTable is really an own world compared to JTable. Almost any method is overwritten.
Yes i see that. Good work!
But the check function should check for illegal code too. This is supposed to be it's functionality.
Think that these data may be used by another extension. So they should be sanitized.