Extension depublished after falsely reporting a vulnerability.

[funcvar]

Hi all!

I faced this problem. I received an email from the vel team that my extension contains Reflected XSS and has been added to the VEL list. After a short correspondence, it turned out that there is no vulnerability, and the report was a fraud. After that I did not find my extension in the VEL list, it was probably excluded. But two days later my extension was depublished. I created a support ticket, but there is no response, the extension is still invisible. Right now my extension is not on the VEL list. I am asking you to look into this situation because I am concerned.

Name of my extension QuickForm. The report was submitted by a certain Siva from Payatu Security Consulting Services. It is designed in such a way that, on a cursory glance, it may look like the truth, but includes false information. I have no idea why anyone would need to do this.

[webgobe]

Sorry for the problems created, I will look into ASAP. I am working in orchestra man mode here, [censored] happens. My apologies for the created inconveniences.

[webgobe]

Your extension is back, my apologies.

[funcvar]

Thanks a lot!

[funcvar]

Oh, it happened again. It's been 10 days and my extension has been depublished again. This is due to the same false report.

I cannot understand why this is happening. My extension is not currently in the VEL list. It was not added there because the vulnerability did not exist.

I spoke with a member of the VEL team even then (2 weeks ago). This report was a fact of unfair competition, it contained outright lies. Therefore, the extension was not added to the VEL list. But nevertheless, the second time there is its depublishing.

I would really appreciate it if the issue was resolved. This gives me great inconvenience, distracts me from work. If possible, please correct the reason why this is happening.

[webgobe]

Will check. Last time was my personal error - I overlooked a message, and acted with incomplete info at hand. This time I wasn't the culprit, I am wondering, what's happened. (worth mentioning, that acting on these VEL based tickets is not my field, I am just trying to give some help/fulfill an empty position beside my normal seat, so I can commit errors here). Will get back to you on this.

[mandville]

i believe this was actually my fault this time i was going through a long list of call backs and missed the corresponding email. i have also asked the "reporter" for full and complete POC of their report [that went to jsst instead of direct to vel] and informed them of your comments.

[webgobe]

The extension is back, Our apologies for the problems.

[funcvar]

Thanks for the quick response. Now the extension is available, but another problem has appeared. All reviews and ratings have disappeared. The component has gone into the invisible area of the repository, it's a crash for me.

[webgobe]

As I see there are 2 extensions with same name, the original one and a new one - unpublished, submitted about a week ago. Did you tried to resubmit your extension again? I can't explain what's happened...

[funcvar]

No, the second instance is not me. When you published the extension (two weeks ago), it wasn't. All reviews were spot on. Now I see that a second copy (unpublished) has appeared, and there are no reviews in both cases.

[webgobe]

Weird. I just clicked on the Publish button, and I am sure, that Mandville did the similar thing when unpublished. Let's see what we can find there.

[webgobe]

This is what I see. Is obviously something f***d up in the database. How that could happened - have no idea. The entire code in JED is ancient, based on old version of Fabrik, all developers who built it are long time gone. I passed the issue to someone who MIGHT be able to figure out and fix.

[webgobe]

Forgot to mention, that BOTH extensions have the same internal ID, and in the Other Extensions section - where you should see the other one, when you look at the one of these - there is nothing. So, sorry, but this is well above of my head - and out of the area where I have access. Sorry for the troubles, but I am sure, that this is not a human error, and definitively not something deliberatedly produced.

[funcvar]

I can only hope. Reviews must remain in the database, there is no reason for the opposite.

[mandville]

all i normally do is send the email and assign the UR code, and then unpublish, i think this is a suitable graphic description of jed server and code.

tyjufsjhdsgffc.jpg

[funcvar]

I can make some guesses, for example, this may be due to the fact that reviews are not displayed for unpublished extensions. Since one of the copies is unpublished, but both versions have the same identifier, their product has a negative value. This can be easily verified by publishing a second instance. But I don't understand how two different records can have the same id and be in different states. This is a dangerous situation, because deleting one copy can result in deleting two copies at once.

[webgobe]

Probably the reviews are still in the database, just got unlinked from the entry. Check the Claire's post - that depicts the exact situation. JED is a jungle of code without a tracker who know the right paths. Maps are eaten by termites, and the GPS signal is off.
Reviews probably can be re-linked to the correct entry with some effort. The question is at what cost - and we are not talking here about the needed work, but the possible consequences. I mean nobody knows what will EXACTLY happens if you manually do changes in the database. Yes, you are right, have two entries with the same ID in a database like this simply should not be possible and theoretically should never happen - yet we have it as you can see...

[funcvar]

I'm sorry to be persistent, but I want to know if anyone is dealing with the issue or not? The concern is that I still have traffic from google due to the good extension rating. But after re-indexing the repository, I will lose it. Time is of the essence.

I am a developer and I understand that the logic for solving such problems is simple. I would be able to fix the problem in maybe 20 minutes. Or a little more depending on the situation. I can also offer different solution scenarios without looking at the code. Or locally view the files sent to me.

In fact, it's a nightmare to spend 9 years on development and return to the beginning with a zero rating. If you do something with high quality, then this is so that it is in demand. No one will improve anything from what is not visible.

[webgobe]

I am a developer and I understand that the logic for solving such problems is simple. I would be able to fix the problem in maybe 20 minutes. Or a little more depending on the situation. I can also offer different solution scenarios without looking at the code. Or locally view the files sent to me.

There is a simple way to do this, Come in, and join the JED developers team.
Send a message to the JED team leader Mark Fleeson (mfleeson) here memberlist.php?mode=viewprofile&u=438896, or join the JED channel in Mattermost. You will be warmly welcomed.

[webgobe]

I forgot to attach the Mattermost channel URL: https://joomlacommunity.cloud.mattermos ... discussion

[funcvar]

Unfortunately my issue is still not resolved. I wrote to Mark but didn't get a response. Alas... Thus, I became green with sadness...

[darb]

Unfortunately my issue is still not resolved. I wrote to Mark but didn't get a response. Alas... Thus, I became green with sadness...

hmm just saw this adressing too:

@sheva77.
Please get in touch [email protected] and I'll show you the current git code. It's currently being developed by two of us, having a third would be fantastic if you're able to spare some time.
Best Wishes
Mark. JED TL.

Didnt work to get in contact with Mark?

[funcvar]

Thanks for the info. I’ll contact him via this email, maybe now there will be an answer?

[webgobe]

Hopefully yes. But as an aftermath of recent Rochen server chores might be less reachable as usual.
But the problem is deeper than that. The issue has been created in first place by a bug in JED3 and a human error - combined. We are humans, supposed to do errors sometimes, and we try to fix these errors, as we can. The issue is, that JED3 is an uncharted jungle, and currently there is nobody in JED developers team - as far as I know - who have the in depth knowledge of the internal structure of JED3 database needed to fix this problem without creating more problems. And this is the key issue. We need someone to do the open brain surgery here to have the issue fixed. The few volunteers we have are ALL working on the new JED - that's the main focus. All I can do there is to keep my fingers crossed - and to pass the info to the right persons in the internal channels, in the hope to have finally a resolution.
I feel your pain, and I agree, that this should be resolved. Just don't see who and when can do this for you. My sincere apologies, but I think is better to present you the naked truth than some sugar coated lies.

[funcvar]

I have now taken on a project for 2-3 months, so I am not trying to find a customer. I can wait a while. But be that as it may, free extensions on JED are not limited to naked altruism, it is an advertisement of your capabilities and this gives you clients.

I have been repairing websites for more than 10 years, and I don’t see a software problem in this case. Such errors are easily resolved. The real problem is that the best extension in its category fell out of the rankings. And I will need to make a decision to enter alternative platforms.

This is a forced decision, because for me there was no need to boost my visibility on the network. Now such a need has arisen and I have to do it.

[webgobe]

I am an extension developer too (and coding since 1980, BTW), having also (free) items listed on JED, helping to increase my business's visibility, which help me sustain my volunteering here (someone must put the bread on the table, after all) so I perfectly know, what you are talking about.
But trust me, I am not trying to sell you bullshit there. Nobody wanted/want to hurt your - or any other developers interests here. In contrary, we are volunteering here to make life easier for developers like you, to provide a platform to increase visibility of their products.
Volunteering is the key word here - we are cooking with what we have. The actual JED has been developed more, than 10 years ago. NOBODY from the original developers is around now, and the platform used to build this (Fabrik) is also outdated, not maintained, call it as you like. The code is basically undocumented, and largely not respecting the Joomla coding standards. Until recently we have, for more than a year one (1, ogyin, une, uno, een, yek, egy) developer dealing with JED coding. Thankfully we have now a few new ones, so the development on new JED gained some momentum, and there are hopes, that we will have a new JED built in healthier, more modern, definitively better documented and easier to maintain basis. We are still short on manpower, and we have an enormous list of issues in GitHub for the live JED and basically nobody to deal with them, check this: https://github.com/joomla/jed-issues/issues.
So, you are NOT alone. There are LOT of people depending on JED, having issues in using it, and awaiting their problem to be solved.
Bottom-line: I perfectly understand your pain, but is nothing personal there.

But there is a shortcut to this: If you don't see any software related problem here, and you have that impressive record of site issue fixing, then talk with Mark, join the JED Dev team - we have plenty of open seats here - , you will get the access to the code and the database - I don't have access to these, sincerely - and fix the problem. It is simple, like that. If you don't do anything else, than this still the entire community will be happy at the end. You can be on top 5% of the community: the relatively few ones who helped here by fixing a problem. And this way is the entire Joomla ecosystem built.

I am always saying that in ALL communities there are two basic types of individuals: the takers and the givers. Which one you choose to be in is your personal decision. And don't attempt to blackmail those who are choosing to be in the givers group: they are doing what they are doing because they are believing, that they are on right side, and not because they are pushed to do that.
So, if you plan to switch to another platform because of this issue, then you probably should do that... I will not try to stop you. I have plenty of better things to do there.

[funcvar]

The attack on my extension continues unabated. Today QuickForm is again de-published based on the same old report that was written half a year ago by the [redacted]. What's happening? Why is the extension removed for the third time due to false accusations? Who in the Joomla project can solve this problem?

[Webdongle]

Is there some sort of automation happening? Where the auto pilot keeps acting on the original false report?

[funcvar]

I received an email with the following content:



A JED Team member has sent you a message
Hello funcvar,

A JED Team member has sent you the following message about the extension "QuickForm".

Hi,

Your extension has been tagged as under investigation by vel

Please open a ticket under "Current Listing Support" to contact the JED team.

1. Has the issue been reported to the vendor of extension?

Ans: Yes

2. Has the issue been resolved by the vendor?

Ans: No, I think they are in the process of fix.

3. Which versions are affected?

Ans: 3.3.01 or below versions of 3.3.01 is affected.

4. Is the issue already published, if yes, since when?

Ans: No

5. Have you followed up with the vendor after your initial report? When do you expect the patch?

Ans: Yes, have followed up with the vendor after the initial report. Not sure when the patch will be released.

6. how should the credits section of the CVE look like? Who shall be mentioned?

Ans: Siva Pothuluru S and Vishal Saini from team Payatu


Definition:

XSS (Cross-Site Scripting) is a security vulnerability that occurs when an attacker injects malicious scripts into web pages viewed by other users. It is a type of code injection attack commonly found in web applications.

In XSS attacks, the attacker exploits a vulnerability in a website's code to inject and execute malicious scripts in the victim's browser. This can happen when the web application doesn't properly validate or sanitize user-generated input before displaying it to other users.

Severity: Medium

CVSS Score: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Steps to reproduce

1. Install Joomla 3 and install the QF3 extension.

2. Configure the extension in Admin dashboard of Joomla and Publish the extension.

3. Once done click on AddNew form and in the css file click on create where the CSS file name param is vulnerable to xss

4. Put the XSS payload which will reflect in the admin.
image.png

Extension joomla link: extensions.joomla.org/extension/quickform/

POC Link: https://drive.google.com/drive/folders/ ... JJdjb27doJ


Best Regards,
The Joomla! Extensions Directory


This is all the information I have. But judging by previous messages, the de-publication was done manually based on some information. Since the extension is not in the VEL list, I don’t know where this information is.