Disable Joomla's SEARCH ABILITY or you will be HACKED !

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
nnth
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Thu Sep 22, 2005 12:27 am
Contact:

Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by nnth » Sat Oct 08, 2005 12:41 am

Hello, everyone!

I don't know why but today, when I checked the Jommla's Search Code (Components and Modules), I've found that it didn't have any function to check the Input Data of users.

For example:

- Try to put in the search box 1 milion characters and do a search. Hey, imagine what will happen to your server?  :'(
- Try to put in the search box a slash / and do a search. It will return any contents that  have a web address of your site.
...

I'm not sure the reason why or this issue is just a SECURITY BUG? Anyone helps me plz?  ???
Last edited by nnth on Fri Oct 14, 2005 9:54 am, edited 1 time in total.
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?

User avatar
bluesaze
Joomla! Guru
Joomla! Guru
Posts: 750
Joined: Mon Sep 05, 2005 6:18 am
Location: India
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by bluesaze » Sat Oct 08, 2005 5:09 am

Mmmm well I just tried it I dont think the server will crash but i guess its always better to have a check before searching. usually there should be a check to remove all funny chracters like & * @ % ' etc also the search term should be limited to 100 words or less
A. N. Jacob-New
The Tech & Design Blog http://www.Clazh.com

User avatar
nnth
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Thu Sep 22, 2005 12:27 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by nnth » Sun Oct 09, 2005 4:28 am

Hello, bluesaze!

I don't know if you test your server on localhost or in real site. But imagine if your site's curently having 1000 ative visitors, and haft of them are trying a milions search words at the same time.

By the way, "MAXLENGTH" in your SEARCH FORM is a good ideal but not enought. If some one try to save the search page, then edit the form method to "POST" and maxlength to "1 milion", he always can hack your server easily.

I think we should have some funtioncs (pregmatch, etc...) to check the User Input from the server!
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?

The West Wing
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Sat Oct 01, 2005 8:10 pm

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by The West Wing » Sun Oct 09, 2005 8:01 am

Is this the case in Mambo too?  or is this unique to Joomla?

User avatar
Jinx
Joomla! Champion
Joomla! Champion
Posts: 6569
Joined: Fri Aug 12, 2005 12:47 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by Jinx » Sun Oct 09, 2005 8:48 am

This is not a security bug ! This is just another DOS (denial of service attack). It won't affect your Joomla installation, it will affect the server because your are flooding it with alot of information. There are alot of ways to create DOS attacks, the only thing they can do is keep your server busy or in a worst case take it offline.

Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.

Maybe u should just try a ping flood ;)
Last edited by Jinx on Sun Oct 09, 2005 8:50 am, edited 1 time in total.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5

http://www.joomlatools.com - Joomla extensions that just work

User avatar
bluesaze
Joomla! Guru
Joomla! Guru
Posts: 750
Joined: Mon Sep 05, 2005 6:18 am
Location: India
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by bluesaze » Sun Oct 09, 2005 10:35 am

Jinx wrote: Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.
Mmm your wrong there cos I was able to copy paste a really long string more than 1000

here the error I got

"Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long"
Last edited by bluesaze on Sun Oct 09, 2005 10:58 am, edited 1 time in total.
A. N. Jacob-New
The Tech & Design Blog http://www.Clazh.com

ustler
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Sun Sep 11, 2005 10:42 pm

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by ustler » Sun Oct 09, 2005 5:54 pm

This is sort of both. Its sort of a hack, but at the same time its a DOS attack. The php code should only parse the first 30 characters. If its pulling all 1000, you might have a buffer overflow vulnerablity. Needless to say, its easy to bypass that HTML restriction for the maxlenght. Download paros and proxy through that and change the maxlenght 20 to 1000, IN REAL TIME.. Your server might have an option set that limits the POST data being submitted. The code should, do this:

Obtain Data
Parse out 20 characters -- If it has more than 20 characters, it should report error and die
Check 20 characters for special characters and remove them (things like: & * # < ;)
Perform Mysql Query

Also, you can use MOD_Security for Apache if you wanted to do this without joomla. It takes ALOT of tweaking to get it to work, but eventually you can get it to filter input and output from predefined rules.. Ill look at the code later and submit a fix if needed. I dont use the search function in Joomla, so im ok :)

User avatar
Jinx
Joomla! Champion
Joomla! Champion
Posts: 6569
Joined: Fri Aug 12, 2005 12:47 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by Jinx » Sun Oct 09, 2005 7:36 pm

Just put in a bug report and we will fix it in the next stability release.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5

http://www.joomlatools.com - Joomla extensions that just work

Talon
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Oct 09, 2005 3:08 pm

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by Talon » Mon Oct 10, 2005 6:43 pm

It happened to me it REALLY DOES WORK I have pictures to prove it (One of the mods on the site just had to try it)

http://[spam].com/albums/v671/talo ... ATTACK.jpg

\

User avatar
Jinx
Joomla! Champion
Joomla! Champion
Posts: 6569
Joined: Fri Aug 12, 2005 12:47 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by Jinx » Mon Oct 10, 2005 7:16 pm

Still not sure what u are trying to proof here. Add it as a bug to the tracker and we will fix it. Simple no ?
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5

http://www.joomlatools.com - Joomla extensions that just work

User avatar
nnth
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Thu Sep 22, 2005 12:27 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by nnth » Tue Oct 11, 2005 3:14 am

Hi all and thanks for helping me!  :)

I've already known that this issue is a sort of hack, and I post it here to announce to everyone, who wants his site to be more secure and more stable!

We should discuss the way to improve or to fix it. And if someone know the way to do that, share it!

I'm currently having a look on the code and if I find out how, i will post it here as soon as possible. ;)
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by stingrey » Tue Oct 11, 2005 3:25 am

This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.

Search will now only allow search terms between 3 - 20 characters.
We cannot exclude the characters you mention as they can be valid search terms in circumstances.


In future please report all/any bugs in the official tracker:
http://developer.joomla.org/sf/tracker/ ... acker.bugs
to ensure that it is correctly actioned.
Last edited by stingrey on Tue Oct 11, 2005 3:41 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
nnth
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Thu Sep 22, 2005 12:27 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by nnth » Tue Oct 11, 2005 3:30 am

It sounds good:) I will wait for 1.0.3. Thanks for hard work!
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?

User avatar
bjtipton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Sep 12, 2005 7:51 pm
Location: United States

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by bjtipton » Tue Oct 11, 2005 5:51 am

stingrey wrote: This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.
You guys rock. 8)
Brian Tipton
Mambo User - Joomla Convert

gulfcad
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Thu Oct 13, 2005 5:58 pm

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by gulfcad » Thu Oct 13, 2005 6:11 pm

Any possibility of incorporating input validation rules for the application? This would provide protection against most future attacks..a basic security programming technique these days.

User avatar
Jinx
Joomla! Champion
Joomla! Champion
Posts: 6569
Joined: Fri Aug 12, 2005 12:47 am
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by Jinx » Thu Oct 13, 2005 10:08 pm

Joomla uses phpInputFilter for this. It is used to clean all input from malisicous code.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5

http://www.joomlatools.com - Joomla extensions that just work

gulfcad
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Thu Oct 13, 2005 5:58 pm

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by gulfcad » Thu Oct 13, 2005 11:49 pm

Hi,

:) That is good to hear. I am waiting for the security release 1.0.3 before installing on my site. I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product. I am hoping the developers are very careful with security. I would hate to implement a tool to save time only to be patching it every month. I know Mambo had a relatively good record compared to PHP-Nuke. I hope this improves even more with Joomla.

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !

Post by stingrey » Fri Oct 14, 2005 7:00 am

gulfcad wrote: I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product.
All important information - including security alerts will be posted in the announcements forum which you subscribed to.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Locked

Return to “Security - 1.0.x”