hack could spread from help. joomla.org through helpsites-15

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
mmikeyy
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Aug 16, 2007 10:38 pm
Location: Montréal

hack could spread from help. joomla.org through helpsites-15

Post by mmikeyy » Sun Aug 19, 2007 2:51 am

I posted this elsewhere. Someone replied that I should post in "security". I suppose it's here.



These idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org.  This file is downloaded whenever the help languages file is refreshed, which does not seem to always require a user intervention. The problem is that it can't be parsed, and the config menu becomes inaccessible after the file is replaced. This little hack may soon spread everywhere...


Someone wrote that the site was restored from backups, and that it is strange that the file is still the hacked version.
Last edited by infograf768 on Sun Aug 19, 2007 4:07 pm, edited 1 time in total.
Mikey

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18855
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by infograf768 » Sun Aug 19, 2007 5:22 am

I do not confirm this.

The dropdown just list the usual sites and nothing is dowloaded when changing the help site.

What happens is that using the help button will bring an empty screen and proposes to download an empty index.php

BTW: this xml file is NOT on the help site, it is in trunk therefore in your joomla install.
Last edited by infograf768 on Sun Aug 19, 2007 5:30 am, edited 1 time in total.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

mmikeyy
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Aug 16, 2007 10:38 pm
Location: Montréal

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by mmikeyy » Sun Aug 19, 2007 11:42 am

The "refresh" button next to the language selection input box has this event attached to it:


onclick="submitbutton('refreshhelp')



and I don't have time to follow the track all the way, but I think the list gets updated from the joomla.org site through the line

if (($data = file_get_contents('http://help.joomla.org/helpsites-15.xml')) === false )

in the function refreshHelp() in the file adminitrator/components/com_config/controllers/application.php.

Once a badly formatted "helpsites-15.xml" is downloaded, the joomla site config page becomes inaccessible because the input box options are imported from that corrupted file each time the page is loaded (through function call jimport('joomla.i18n.help') in same application.php file.

Anyway... I may be all wrong (I really am a newbie after all!  :o ). But... it seems to make sense!
Mikey

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by AmyStephen » Sun Aug 19, 2007 2:44 pm

Just for the record - if someone reads this later and wonders what happened - Louis Landry explained it was a custom component never released to others (thankfully) that created this vulnerability. Joomla org did not use good system administration on the shop site and a failure to do so created a situation where the crack was allowed to spread to other sites on Joomla!' orgs servers.

This does not spread through Joomla! org helpsite XML files like the poster thought might be happening.

Thanks,
Amy :)

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18855
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by infograf768 » Sun Aug 19, 2007 3:08 pm

@mmikeyy

Apologies, I have been testing 1.5 for ages and I have not remarked that the refresh button was looking for a new xml file on help.joomla until now. Thought it would load a new xml file downloaded manually.

I do consider this as a possible breach in security and will report it to devs.
Anyhow, as that file is located in administrator/languages/help and the folder is not supposed to be writable, a Warning should appear.

Thanks for the hint.

JM
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

mmikeyy
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Aug 16, 2007 10:38 pm
Location: Montréal

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by mmikeyy » Sun Aug 19, 2007 3:25 pm

AmyStephen wrote:
This does not spread through Joomla! org helpsite XML files like the poster thought might be happening.

Thanks,
Amy :)
OK.. perhaps I'm wrong, but the xml file did get corrupted, it got corrupted each time I pressed the refresh button to update the language list to change the language in the configuration screen (which does download the list from joomla.org), and that stopped happening as soon as I commented out the lines that downloaded an up-to-date file from the joomla.org site.

The list is now updated correctly when one presses the refresh button. So it is true that nothing is spreading *now*. Perhaps the problem disappeared when the backups were restored on the joomla.org site.
Mikey

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Post by AmyStephen » Sun Aug 19, 2007 3:36 pm

mmikeyy wrote: The list is now updated correctly when one presses the refresh button. So it is true that nothing is spreading *now*. Perhaps the problem disappeared when the backups were restored on the joomla.org site.
Mike -

It sounds like you found a vulnerability - and that is very much appreciated. Infograf said he would communicate this.

It's important to clarify, though, that the subject "hack being spread everywhere from joomla.org through helpsites-15.xlm refresh" was not true. No one else's website was infected by Joomla! help files.

You did nothing wrong and coming forward with this information is good. I just didn't want anyone to panic unnecessarily.
Amy

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18855
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Post by infograf768 » Sun Aug 19, 2007 4:08 pm

I changed the title of the thread to reflect the issue at stake.

Reported in Q&T http://forum.joomla.org/index.php/topic,203371.0.html
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

mmikeyy
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Aug 16, 2007 10:38 pm
Location: Montréal

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Post by mmikeyy » Sun Aug 19, 2007 4:16 pm

AmyStephen wrote: It sounds like you found a vulnerability [...]

It's important to clarify, though, that the subject "hack being spread everywhere from joomla.org through helpsites-15.xlm refresh" was not true. No one else's website was infected by Joomla! help files.

[...]  I just didn't want anyone to panic unnecessarily.
Amy
Fine! I understand. The topic may have been exceeding alarming, especially after the problem ceased to exist (before that, it's debatable I guess. People were one click away from being infected after all! And I was infected repeatedly before I could figure out how it happened). Sorry for having been so insistent. I just felt I had to keep replying because all the reactions I got sounded a little too much like "no, you are wrong". I was about to start doubting my mental faculties!  ???  Case closed!

Best regards,  :)
Mikey

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Post by AmyStephen » Sun Aug 19, 2007 4:50 pm

It's always difficult, isn't it? IMO, you did the right thing. Thanks, again, Mike,
Amy :)


Locked

Return to “Security in Joomla! 1.5”