Regarding CSRF Attack

[manpreet_25]

Hi All,

My website is under security audit. CSRF attack is pop up in Joomla administrator part. I have read the topic written on Joomla website on below link :
http://docs.joomla.org/How_to_add_CSRF_ ... g_to_forms
but not able to understand it.

Can anyone tell me where I have to add tokens. Like if we take specific example of com_content in this location \www\joomla\administrator\components\com_content\views\articles\tmpl\default.php
This page is Article page where we see list of all the articles. inside view form i have added this script
<?php echo JHtml::_( 'form.token' ); ?>
from this page we can either edit the page or create new page. Now Where I have to add script to check while token sent from previous page is valid or not. How can I validate it?

[mandville]

How are you doing an audit?

[manpreet_25]

Audit is done by third party who check your website against different attack.

[mandville]

Then please ask them to explain the results , that's why you are paying them. They should be able to understand and guide you better from their results else you would do the audit yourself
You have provided no useful info.
No version number
no fps
Why are you doing this audit

[manpreet_25]

Then please ask them to explain the results , that's why you are paying them. They should be able to understand and guide you better from their results else you would do the audit yourself
You have provided no useful info.
No version number
no fps
Why are you doing this audit

My company always do security audit before launching a website so that clients do not have any hacking related problem. Regarding version info I have posted it under Joomla 2.5 so obvious we are using Joomla 2.5. What else you needed to know?

[mandville]

What version of 2.5 ?
What 3rd party software ?
Sorry for typo - fpa not fps
What actual error message ?
Has this happened before ?

[manpreet_25]

I will simply ask do you know what is CSRF attack? If you know what i can describe for it. It is just a hack method used to hack website we need to send token around pages to avoid this error. I just want to know how to pass these tokens and where i have to place my codes?

[Bernard T]

@mapreet_25 please don't be disrespectfull, Mandville is VEL team lead and JSST team member, she knows what CSRF is!

You didn't say which version of Joomla exactly you are using, 2.5 is only a major version. Is it current 2.5.22?
If you would follow this subforum's rules you would submit FPA report - http://forum.joomla.org/viewtopic.php?f=621&t=582860 which gives us more information about what Joomla version and extensions are you working with.

The Joomla Docs article you linked explains that Joomla core is already protected with tokens. But 3rd party extension developers have to implement this in their code themselves. Your auditor should provide more details on which link they think Joomla core is not protected against CSRF

[manpreet_25]

@BernardT This portal has been developed two years back this is random security audit by third party. They just said you need to check across all pages. It has pop up in extension RSEVENTS. I can't tell all details due to privacy issue.

[Bernard T]

You don't have to fully disclose anything in public forum, but it would be highly appreciated if you inform our responsible teams about the found vulnerabilities. This way you help the whole Joomla community. It can be completely anonymous.

If you found vulnerability in Joomla! Core, please report to JSST Team:
http://developer.joomla.org/contact-security-team.html

If you found vulnerability in 3rd-pty extensions (RSEVENTS) please report details to our VEL Team and we will take a look at it: http://vel.joomla.org/submit-vel.html

Thank you in advance.

[manpreet_25]

@BernardT here I am explaining how they check for CSRF error. They open RSEVENT page where all event list appeared. Now in other tab they open a test email which show click here for interesting images link. that page have following code :
<html>
<frameset rows="100%,0%">
<frame src="efgh.html">
<frame src="csrf.html">
</frameset><noframes></noframes>
</html>

i.e two frame sets one is displayed and other one is give 0 so not displayed.
efgh.html will show an image which have following code :
<html>
<body>
<img src="2404929_xxlarge-lnd.jpg" />
</body>
</html>

while another frame set which is not visible have following code :

<html>
<body>
<form enctype="application/x-www-form-urlencoded" name="xx" method="get" actin="http://localhost/joomla/administrator/index.php">
<input type="hidden" name="option" value="com_del" />
<input type="hidden" name="evt" value="1" />
</form>
<script>
document.xx.submit();
</script>
</body>
</html>

when we click on that image link in email it delete some entry in Events table.

This is what happened. Now where i pass tokens. Moreover I think developer have modified the code of events a bit so I am not sure whether they remove it or by default it comes as it is, without CSRF tokens. Even to verify I have re-installed that extension again in test joomla setup but i don't found tokens passed in Event list page like Joomla core article component passed tokens even in article list view page.

[RedEye]

@mapreet_25 are you able to read the questions you where asked?
You've been asked twice for the versions you use, why you don't answer these questions?

I can't tell all details due to privacy issue.

No one here has asked for names or something, there are no privacy issues with the questions you've been asked!

My company always do security audit before launching a website so that clients do not have any hacking related problem.

A real security audit for code costs some thousands of dollars my friend, so I very much doubt that you're talking here about a serious code audit...

Now where i pass tokens.

In your forms... Please see Joomla docs http://docs.joomla.org/How_to_add_CSRF_ ... g_to_forms

[Bernard T]

As I understood mapreet_25 is "reporting" an CSRF issue in 3rd party extension "RS Forms". Since that's a commercial extension which is not freely available, the proper step (which I already suggested) would be to post a VEL report, so we can act accordingly.

@mapreet_25 please take a minute and report it to http://vel.joomla.org/submit-vel.html
Thanks