Custom fields security hole in the Product Form

balai · November 24, 2011, 15:47:17 PM

Hi

There is a security hole to the cuctom field values storing procedure inside the product form.

Try to write this as value to a custom field
" onclick="alert(25);

Save it and click on the value text field.

It seems that the passed value is not sanitized from any injection.

version
2.0.0-RC-2M

stinga · November 24, 2011, 17:01:54 PM

Is this backend or frontend?
If backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)

Studio 42 · November 24, 2011, 17:52:40 PM

Hi,

this is not unsecured it's only raw data and data's are filtered out with joomla standard filter

try to write it in the editor you have same on database but because it's not an input field then you have no reaction.

but you have

Quote<p>" onclick="alert(25);</p>

because the editor add it(in case of tinymce)

If this is unsecured then all joomla is unsecured or ?

BUt why not change it ? PLZ vote !

balai · November 25, 2011, 10:30:06 AM

QuoteIf backend then 'Don't do that!' if frontend then maybe the psp file you found this in will help speed things along :-)

It is backend.
How can you be so sure that in a site with multiple backend users, all of them have good intentions?

@Electrocity
It does not happens in my TinyMce editor at least
It converts every HTML code to HTML entities equivelants

<p>" onclick="alert(25);</p>
//This is what i get in the HTML code

You know what this means?

That everyone who has access to backend can get other users cookies or redirect them to a malicious site whenever he likes

Milbo · November 25, 2011, 13:18:14 PM

This is one of the reasons that vm2 is not multivendor yet. We already use often the construction that it is not filtered for admins, but not everywhere.

stinga · November 25, 2011, 21:25:19 PM

If you can't trust your employees then you have a far greater problem, I agree that in the ideal world it would not allow you to that but... heck!
If you want it changed, make the change and submit a patch, devs would love you to help out with all those small annoying items.

PRO · November 25, 2011, 21:27:13 PM

Quote from: stinga on November 25, 2011, 21:25:19 PM
If you can't trust your employees then you have a far greater problem

I agree, BUT

Joomla will still put you on the VE list.

stinga · November 25, 2011, 21:32:41 PM

VE list?

PRO · November 25, 2011, 21:35:47 PM

Quote from: stinga on November 25, 2011, 21:32:41 PM
VE list?

vulnerable extensions

Milbo · November 26, 2011, 00:21:01 AM

In fact it is the joomla filter which is not working.

balai · November 26, 2011, 12:53:02 PM

This is supposed to handled by the JTable::check , which should be overriden (as i see it is) in your JTable.

What is supposed to do, is to check the input for "illegal" code and return true or false accordingly.

Milbo · November 26, 2011, 14:46:52 PM

The problem is not the db, the problem is in the html. We added an extra check.

and our VmTable is really an own world compared to JTable. Almost any method is overwritten.

balai · November 26, 2011, 22:11:32 PM

QuoteThe problem is not the db, the problem is in the html.

What you mean the problem is in the HTML ?

Quoteand our VmTable is really an own world compared to JTable. Almost any method is overwritten.

Yes i see that. Good work!
But the check function should check for illegal code too. This is supposed to be it's functionality.
Think that these data may be used by another extension. So they should be sanitized.

News:

Custom fields security hole in the Product Form