Regarding CSRF Attack
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Regarding CSRF Attack
Hi All,
My website is under security audit. CSRF attack is pop up in Joomla administrator part. I have read the topic written on Joomla website on below link :
http://docs.joomla.org/How_to_add_CSRF_ ... g_to_forms
but not able to understand it.
Can anyone tell me where I have to add tokens. Like if we take specific example of com_content in this location \www\joomla\administrator\components\com_content\views\articles\tmpl\default.php
This page is Article page where we see list of all the articles. inside view form i have added this script
<?php echo JHtml::_( 'form.token' ); ?>
from this page we can either edit the page or create new page. Now Where I have to add script to check while token sent from previous page is valid or not. How can I validate it?
My website is under security audit. CSRF attack is pop up in Joomla administrator part. I have read the topic written on Joomla website on below link :
http://docs.joomla.org/How_to_add_CSRF_ ... g_to_forms
but not able to understand it.
Can anyone tell me where I have to add tokens. Like if we take specific example of com_content in this location \www\joomla\administrator\components\com_content\views\articles\tmpl\default.php
This page is Article page where we see list of all the articles. inside view form i have added this script
<?php echo JHtml::_( 'form.token' ); ?>
from this page we can either edit the page or create new page. Now Where I have to add script to check while token sent from previous page is valid or not. How can I validate it?
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Regarding CSRF Attack
How are you doing an audit?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Re: Regarding CSRF Attack
Audit is done by third party who check your website against different attack.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Regarding CSRF Attack
Then please ask them to explain the results , that's why you are paying them. They should be able to understand and guide you better from their results else you would do the audit yourself
You have provided no useful info.
No version number
no fps
Why are you doing this audit
You have provided no useful info.
No version number
no fps
Why are you doing this audit
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Re: Regarding CSRF Attack
My company always do security audit before launching a website so that clients do not have any hacking related problem. Regarding version info I have posted it under Joomla 2.5 so obvious we are using Joomla 2.5. What else you needed to know?mandville wrote:Then please ask them to explain the results , that's why you are paying them. They should be able to understand and guide you better from their results else you would do the audit yourself
You have provided no useful info.
No version number
no fps
Why are you doing this audit
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Regarding CSRF Attack
What version of 2.5 ?
What 3rd party software ?
Sorry for typo - fpa not fps
What actual error message ?
Has this happened before ?
What 3rd party software ?
Sorry for typo - fpa not fps
What actual error message ?
Has this happened before ?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Re: Regarding CSRF Attack
I will simply ask do you know what is CSRF attack? If you know what i can describe for it. It is just a hack method used to hack website we need to send token around pages to avoid this error. I just want to know how to pass these tokens and where i have to place my codes?
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Regarding CSRF Attack
@mapreet_25 please don't be disrespectfull, Mandville is VEL team lead and JSST team member, she knows what CSRF is!
You didn't say which version of Joomla exactly you are using, 2.5 is only a major version. Is it current 2.5.22?
If you would follow this subforum's rules you would submit FPA report - http://forum.joomla.org/viewtopic.php?f=621&t=582860 which gives us more information about what Joomla version and extensions are you working with.
The Joomla Docs article you linked explains that Joomla core is already protected with tokens. But 3rd party extension developers have to implement this in their code themselves. Your auditor should provide more details on which link they think Joomla core is not protected against CSRF
You didn't say which version of Joomla exactly you are using, 2.5 is only a major version. Is it current 2.5.22?
If you would follow this subforum's rules you would submit FPA report - http://forum.joomla.org/viewtopic.php?f=621&t=582860 which gives us more information about what Joomla version and extensions are you working with.
The Joomla Docs article you linked explains that Joomla core is already protected with tokens. But 3rd party extension developers have to implement this in their code themselves. Your auditor should provide more details on which link they think Joomla core is not protected against CSRF
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Re: Regarding CSRF Attack
@BernardT This portal has been developed two years back this is random security audit by third party. They just said you need to check across all pages. It has pop up in extension RSEVENTS. I can't tell all details due to privacy issue.
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Regarding CSRF Attack
You don't have to fully disclose anything in public forum, but it would be highly appreciated if you inform our responsible teams about the found vulnerabilities. This way you help the whole Joomla community. It can be completely anonymous.
If you found vulnerability in Joomla! Core, please report to JSST Team:
http://developer.joomla.org/contact-security-team.html
If you found vulnerability in 3rd-pty extensions (RSEVENTS) please report details to our VEL Team and we will take a look at it: http://vel.joomla.org/submit-vel.html
Thank you in advance.
If you found vulnerability in Joomla! Core, please report to JSST Team:
http://developer.joomla.org/contact-security-team.html
If you found vulnerability in 3rd-pty extensions (RSEVENTS) please report details to our VEL Team and we will take a look at it: http://vel.joomla.org/submit-vel.html
Thank you in advance.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Tue Apr 10, 2012 7:14 am
Re: Regarding CSRF Attack
@BernardT here I am explaining how they check for CSRF error. They open RSEVENT page where all event list appeared. Now in other tab they open a test email which show click here for interesting images link. that page have following code :
<html>
<frameset rows="100%,0%">
<frame src="efgh.html">
<frame src="csrf.html">
</frameset><noframes></noframes>
</html>
i.e two frame sets one is displayed and other one is give 0 so not displayed.
efgh.html will show an image which have following code :
<html>
<body>
<img src="2404929_xxlarge-lnd.jpg" />
</body>
</html>
while another frame set which is not visible have following code :
<html>
<body>
<form enctype="application/x-www-form-urlencoded" name="xx" method="get" actin="http://localhost/joomla/administrator/index.php">
<input type="hidden" name="option" value="com_del" />
<input type="hidden" name="evt" value="1" />
</form>
<script>
document.xx.submit();
</script>
</body>
</html>
when we click on that image link in email it delete some entry in Events table.
This is what happened. Now where i pass tokens. Moreover I think developer have modified the code of events a bit so I am not sure whether they remove it or by default it comes as it is, without CSRF tokens. Even to verify I have re-installed that extension again in test joomla setup but i don't found tokens passed in Event list page like Joomla core article component passed tokens even in article list view page.
<html>
<frameset rows="100%,0%">
<frame src="efgh.html">
<frame src="csrf.html">
</frameset><noframes></noframes>
</html>
i.e two frame sets one is displayed and other one is give 0 so not displayed.
efgh.html will show an image which have following code :
<html>
<body>
<img src="2404929_xxlarge-lnd.jpg" />
</body>
</html>
while another frame set which is not visible have following code :
<html>
<body>
<form enctype="application/x-www-form-urlencoded" name="xx" method="get" actin="http://localhost/joomla/administrator/index.php">
<input type="hidden" name="option" value="com_del" />
<input type="hidden" name="evt" value="1" />
</form>
<script>
document.xx.submit();
</script>
</body>
</html>
when we click on that image link in email it delete some entry in Events table.
This is what happened. Now where i pass tokens. Moreover I think developer have modified the code of events a bit so I am not sure whether they remove it or by default it comes as it is, without CSRF tokens. Even to verify I have re-installed that extension again in test joomla setup but i don't found tokens passed in Event list page like Joomla core article component passed tokens even in article list view page.
-
- Joomla! Ace
- Posts: 1460
- Joined: Sat Jan 21, 2006 8:42 pm
Re: Regarding CSRF Attack
@mapreet_25 are you able to read the questions you where asked?
You've been asked twice for the versions you use, why you don't answer these questions?
You've been asked twice for the versions you use, why you don't answer these questions?
No one here has asked for names or something, there are no privacy issues with the questions you've been asked!manpreet_25 wrote:I can't tell all details due to privacy issue.
A real security audit for code costs some thousands of dollars my friend, so I very much doubt that you're talking here about a serious code audit...manpreet_25 wrote:My company always do security audit before launching a website so that clients do not have any hacking related problem.
In your forms... Please see Joomla docs http://docs.joomla.org/How_to_add_CSRF_ ... g_to_formsmanpreet_25 wrote:Now where i pass tokens.
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Regarding CSRF Attack
As I understood mapreet_25 is "reporting" an CSRF issue in 3rd party extension "RS Forms". Since that's a commercial extension which is not freely available, the proper step (which I already suggested) would be to post a VEL report, so we can act accordingly.
@mapreet_25 please take a minute and report it to http://vel.joomla.org/submit-vel.html
Thanks
@mapreet_25 please take a minute and report it to http://vel.joomla.org/submit-vel.html
Thanks
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak