Components not working with Register Globals Emulation off

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Websmurf » Thu Aug 24, 2006 6:53 pm

Updated the list again.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

 
User avatar
mjvvorst
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Sun Sep 18, 2005 9:25 pm
Location: Netherlands

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by mjvvorst » Thu Aug 24, 2006 9:29 pm

Beat,

Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Thu Aug 24, 2006 9:35 pm

mjvvorst wrote: Beat,

Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
My sentiments exactly Beat.  I did confirm the fix to now work on the front-end w/RG emulation off.  However, I did not test backend yet, though I'm sure mjvvorst's backend  AkoComment problem will be the same as mine (ie. unable to delete AkoComments w/RG emulation off).
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Thu Aug 24, 2006 10:28 pm

mjvvorst wrote: Beat,

Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
In my version of AkoComment the buttons to delete were missing in the code.
I added that code, but as it's not GPL, I can't publish it.
I'm adding to my post above the code for making backend work with RG_EMULATION.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
mjvvorst
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Sun Sep 18, 2005 9:25 pm
Location: Netherlands

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by mjvvorst » Thu Aug 24, 2006 11:29 pm

Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?

fan2
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Aug 21, 2006 3:37 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by fan2 » Thu Aug 24, 2006 11:36 pm

Hello,
I am using CB 1.0RC2 with SMF Bridge.
It appears that there are some issues in Single-Signon in the SMF bridge if you upgrade CB 1.0RC2 to 1.0.1.

The php register_globals variable is set to ON.

But i have set the RG_EMULATION to 0 in globals.php

Also, in my .htaccess file, i have added  the following :

Code: Select all

########## START
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a CONFIG_EXT variable via URL
RewriteCond %{QUERY_STRING} CONFIG_EXT\[LANGUAGES_DIR\](=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?

Thanks for your help.

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Fri Aug 25, 2006 12:18 am

mjvvorst wrote: Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
I tested the same backend AkoComment scenario, both with and without Beat's hotfix,... and his hack makes all the difference, yet again! :)  My RG emulation is off BTW
Last edited by tyler on Fri Aug 25, 2006 12:19 am, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Fri Aug 25, 2006 12:21 am

mjvvorst wrote: Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
Thanks...
Working on this
http://dev.joomla.org/index.php?option= ... d=33&p=168
with Rey and others keeps me awake tonight... :D
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Fri Aug 25, 2006 12:26 am

fan2 wrote: Hello,
I am using CB 1.0RC2 with SMF Bridge.
...
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?

Thanks for your help.
This .htaccess file should protect you from the most critical vulnerability of RC2. RG_EMULATION 0 doesn't have an influence there, but register_globals OFF (REALLY RECOMMENDED SETTING!) or furl_open OFF would also protect you.

CB 1.0.1 includes other security fixes as well, so I would still look for a solution to your problem to be able to upgrade in the near future.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

lewisteo
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Thu Aug 18, 2005 7:56 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by lewisteo » Fri Aug 25, 2006 4:07 am

Something I found useful is Team Calendar Pro from www.lewe.com, but to my disappointment this component requires Register Global = on, if not it will not function accordingly.

I had spent much time updating the codes with $_SERVER["PHP_SELF"] for declared $PHP_SELF but still had not got the 2.8.001 version to work productively.

I was wondering someone could look into this interesting component and see if help can be rendered for it.

Thanks in advance.

fan2
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Aug 21, 2006 3:37 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by fan2 » Fri Aug 25, 2006 7:32 am

Beat wrote:
fan2 wrote: Hello,
I am using CB 1.0RC2 with SMF Bridge.
...
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?

Thanks for your help.
This .htaccess file should protect you from the most critical vulnerability of RC2. RG_EMULATION 0 doesn't have an influence there, but register_globals OFF (REALLY RECOMMENDED SETTING!) or furl_open OFF would also protect you.

CB 1.0.1 includes other security fixes as well, so I would still look for a solution to your problem to be able to upgrade in the near future.
Thanks BEAT,
As soon as i know that there will be no problem when i upgrade CB1.0RC2 to CB1.0.1, i will do it.
About the PHP register_globals, the hoster does not want to modify it.

tomww
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Tue Apr 04, 2006 8:53 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tomww » Fri Aug 25, 2006 2:25 pm

Hello
i ve problems in joomlaboard with uploading files and pics. (after rg_emulation off)

does it works in yours?

Tom

User avatar
MarHaj
Joomla! Ace
Joomla! Ace
Posts: 1168
Joined: Fri Jun 30, 2006 5:24 pm
Location: CZ
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by MarHaj » Fri Aug 25, 2006 5:25 pm

Provided the first Akocomment BEAT fix concerns akocomment.php and the second admin.akocomment.php I am affraid that for tweaked Artistworks.net version of Akocomment 2.0 they do not work.

But, in the name of those who use non tweaked version: Beat, THANKS!! You saved our sites (and souls)!!!
Last edited by MarHaj on Fri Aug 25, 2006 5:29 pm, edited 1 time in total.
MarHaj

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Fri Aug 25, 2006 7:39 pm

fan2 wrote: ...
About the PHP register_globals, the hoster does not want to modify it.
My free advice: change hoster when you can, that one seems not to understand basic PHP security (or server config)  in year 2006.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

kunglao
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Aug 25, 2006 7:40 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by kunglao » Fri Aug 25, 2006 9:03 pm

With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well. 

That is, one can't register to a new topic.  The request is accepted but the database/status is not getting updated. 

If RG_EMULATION is set back to ON, there's no problem.

Is anyone else experiencing the same problem ? 

Thanks,

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tyler » Fri Aug 25, 2006 9:59 pm

kunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well. 

That is, one can't register to a new topic.  The request is accepted but the database/status is not getting updated.   

If RG_EMULATION is set back to ON, there's no problem.

Is anyone else experiencing the same problem ? 

Thanks,
I have the exact same issue with being unable to add OR unsubscribe topic subscriptions with RG emulation off
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

kunglao
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Aug 25, 2006 7:40 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by kunglao » Sat Aug 26, 2006 5:11 am

kunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well. 

That is, one can't register to a new topic.  The request is accepted but the database/status is not getting updated. 

If RG_EMULATION is set back to ON, there's no problem.
The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.php

Code: Select all

if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) 	$sb_thread 	= mosGetParam ( $_REQUEST, 'sb_thread'  , ''); 
if (!isset($thread) && isset($_REQUEST["thread"])) 	$thread 	= mosGetParam ( $_REQUEST, 'thread'  , ''); 
Somehow, #_POST wouldn't work but $_REQUEST does.
Since I'm new to this, I'd appreciate expert members to validate the fix.

Thanks in advance,

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tyler » Sat Aug 26, 2006 6:47 am

kunglao wrote:The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.php

Code: Select all

if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) 	$sb_thread 	= mosGetParam ( $_REQUEST, 'sb_thread'  , ''); 
if (!isset($thread) && isset($_REQUEST["thread"])) 	$thread 	= mosGetParam ( $_REQUEST, 'thread'  , ''); 
Somehow, #_POST wouldn't work but $_REQUEST does.
thx for sharing kunglao, that fix seems to be working for me too
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by RobS » Sat Aug 26, 2006 7:02 am

$_REQUEST is just a more general array that contains the contents of the $_POST, $_GET, and $_COOKIE arrays... best used when you aren't sure whether the request will be in Get or Post format...  There shouldn't be any problems with its use in that scenario.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Beat » Sat Aug 26, 2006 1:36 pm

kunglao wrote:
kunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well. 

That is, one can't register to a new topic.  The request is accepted but the database/status is not getting updated.   

If RG_EMULATION is set back to ON, there's no problem.
The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.php

Code: Select all

if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) 	$sb_thread 	= mosGetParam ( $_REQUEST, 'sb_thread'  , ''); 
if (!isset($thread) && isset($_REQUEST["thread"])) 	$thread 	= mosGetParam ( $_REQUEST, 'thread'  , ''); 
Somehow, #_POST wouldn't work but $_REQUEST does.
Since I'm new to this, I'd appreciate expert members to validate the fix.

Thanks in advance,

Thanks for proposing fix and also for confirming. Added to the other fixes in my post to group them together
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Sat Aug 26, 2006 4:49 pm

the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.

When I set RG emulation back to on, the attachment uploads work again.

Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Sat Aug 26, 2006 4:53 pm

tyler wrote: the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.

When I set RG emulation back to on, the attachment uploads work again.

Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
Confirmed...files + images didn't work + "subscribe me" option on posts/reply.

Fix below fixes that: add to joomlaboard.php other fixes this:

Code: Select all

if (!isset($subscribeMe)	&& isset($_POST["subscribeMe"])) 	$subscribeMe 	= mosGetParam ( $_POST, 'subscribeMe'  , ''); //BBTEMPFIX
if (!isset($attachimage)	&& isset($_FILES['attachimage'])) $attachimage	= mosGetParam ($_FILES['attachimage'], 'name', ''); //BBTEMPFIX
if (!isset($attachfile)	&& isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', ''); //BBTEMPFIX
Adding to my post http://forum.joomla.org/index.php/topic ... #msg441456

Can you please confirm the fix fixes all three functions ?

EDIT: changed code above.
Last edited by Beat on Sun Aug 27, 2006 7:02 am, edited 1 time in total.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Hackwar » Sat Aug 26, 2006 6:50 pm

Hey Beat,
don't forget the fix I send in. :) You have to add this on line 170 of /administrator/components/com_joomlaboard/admin.joomlaboard.php for viewing user details:

Code: Select all

$uid = mosGetParam( $_REQUEST, 'uid', array(0) );
if (!is_array( $uid )) {
   $uid = array(0);
}
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Sat Aug 26, 2006 7:06 pm

Beat wrote:
tyler wrote: the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.

When I set RG emulation back to on, the attachment uploads work again.

Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
Confirmed...files + images didn't work + "subscribe me" option on posts/reply.

Fix below fixes that: add to joomlaboard.php other fixes this:

Code: Select all

if (!isset($subscribeMe)	&& isset($_POST["subscribeMe"])) 	$subscribeMe 	= mosGetParam ( $_POST, 'subscribeMe'  , ''); //BBTEMPFIX
if (!isset($attachimage)	&& isset($_POST["attachimage"])) 	$attachimage	= mosGetParam ( $_POST, 'attachimage'  , ''); //BBTEMPFIX
if (!isset($attachfile)		&& isset($_POST["attachfile"])) 	$attachfile		= mosGetParam ( $_POST, 'attachfile'  , ''); //BBTEMPFIX
Adding to my post http://forum.joomla.org/index.php/topic ... #msg441456

Can you please confirm the fix fixes all three functions ?
Hmmm, the image and file upload do not work for me when using that fix w/RG emulation off, but the subscribe to thread option does work in that scenario.  I even tried a version of those fixes where $_POST is changed to $_REQUEST and I got the same non-working results for img & file uploads.  This is w/RG Emulation off.  Works fine with RG Emulation off.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Sat Aug 26, 2006 7:18 pm

is it possible that maybe the $_FILES var needs to be adjusted for RG?  Was looking a little bit in the joomlaboard file_upload.php & image_upload.php and saw $_FILES used there.

not sure what to tinker with it though to make it recognizeable under RG off

and as I mentioned earlier, the subscribe me does work, just not the file or image uploads for me.
Last edited by tyler on Sat Aug 26, 2006 7:49 pm, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

kunglao
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Aug 25, 2006 7:40 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by kunglao » Sun Aug 27, 2006 3:13 am

tyler wrote:
and as I mentioned earlier, the subscribe me does work, just not the file or image uploads for me.
I confirm Tyler's problem: "subscribe me" also works for me but not the file/image upload, even with  $_REQUEST.

kunglao

P.S.  Thanks to all for your previous feedback.

kunglao
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Aug 25, 2006 7:40 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by kunglao » Sun Aug 27, 2006 5:22 am

To fix the joomlaboard file/image upload, this seems to work for me:

Code: Select all

if (!isset($attachimage)	&& isset($_FILES['attachimage'])) $attachimage	= mosGetParam ($_FILES['attachimage'], 'name', '');
if (!isset($attachfile)	&& isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', '');
And in this case, given that $attachfile & $attachimage are used just like a flag in the code, can we not bypassing mosGetParam instead

Code: Select all

if (!isset($attachimage)	&& isset($_FILES['attachimage'])) $attachimage	= $_FILES['attachimage']['name'];
if (!isset($attachfile)	&& isset($_FILES['attachfile'])) $attachfile = $_FILES['attachfile']['name'];
Beat, Rob, or other experts, any reservation on either option ?

Thanks,

KungLao

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by RobS » Sun Aug 27, 2006 6:41 am

You should always filter input to your PHP code.  The first code example which utilizes mosGetParam is the way you should be doing it... I suggest you apply the same practices to the second code example.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Beat » Sun Aug 27, 2006 7:00 am

kunglao wrote: To fix the joomlaboard file/image upload, this seems to work for me:

Code: Select all

if (!isset($attachimage)	&& isset($_FILES['attachimage'])) $attachimage	= mosGetParam ($_FILES['attachimage'], 'name', '');
if (!isset($attachfile)	&& isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', '');
And in this case, given that $attachfile & $attachimage are used just like a flag in the code, can we not bypassing mosGetParam instead

Code: Select all

if (!isset($attachimage)	&& isset($_FILES['attachimage'])) $attachimage	= $_FILES['attachimage']['name'];
if (!isset($attachfile)	&& isset($_FILES['attachfile'])) $attachfile = $_FILES['attachfile']['name'];
Beat, Rob, or other experts, any reservation on either option ?

Thanks,

KungLao
1) Kudos for the find of my stupid mistake in the fix :-[. Actually the culprit using wrongly these variables is post.php  ;)

2) Both variants are strictly identical for now, as those variables are arrays, and that mosGetParams does not filter/modify arrays (its expected behavior until now).

3) I have carefully checked the files and image uploads in joomlaBoard from a security point of view using those parameters. The use in post.php is safe, as it's only testing if it's non-null values. I did not find critical vulnerabilities from this point of view (you need to check this when not using mosGetParameters).

Will update my posts above...
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Sun Aug 27, 2006 7:09 am

How about the following four other variables used respectively in image_upload.php & file_upload.php:

$_FILES['attachimage']['size']    --->  $imageSize
$_FILES['attachimage']['tmp_name']
$_FILES['attachfile']['size']      --->  $fileSize
$_FILES['attachfile']['tmp_name']

Should these need to be accounted for in the same or similar way?
Last edited by tyler on Sun Aug 27, 2006 7:21 am, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

 

Locked

Return to “Security - 1.0.x”