Page 1 of 1

hack could spread from help. joomla.org through helpsites-15

Posted: Sun Aug 19, 2007 2:51 am
by mmikeyy
I posted this elsewhere. Someone replied that I should post in "security". I suppose it's here.



These idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org.  This file is downloaded whenever the help languages file is refreshed, which does not seem to always require a user intervention. The problem is that it can't be parsed, and the config menu becomes inaccessible after the file is replaced. This little hack may soon spread everywhere...


Someone wrote that the site was restored from backups, and that it is strange that the file is still the hacked version.

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 5:22 am
by infograf768
I do not confirm this.

The dropdown just list the usual sites and nothing is dowloaded when changing the help site.

What happens is that using the help button will bring an empty screen and proposes to download an empty index.php

BTW: this xml file is NOT on the help site, it is in trunk therefore in your joomla install.

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 11:42 am
by mmikeyy
The "refresh" button next to the language selection input box has this event attached to it:


onclick="submitbutton('refreshhelp')



and I don't have time to follow the track all the way, but I think the list gets updated from the joomla.org site through the line

if (($data = file_get_contents('http://help.joomla.org/helpsites-15.xml')) === false )

in the function refreshHelp() in the file adminitrator/components/com_config/controllers/application.php.

Once a badly formatted "helpsites-15.xml" is downloaded, the joomla site config page becomes inaccessible because the input box options are imported from that corrupted file each time the page is loaded (through function call jimport('joomla.i18n.help') in same application.php file.

Anyway... I may be all wrong (I really am a newbie after all!  :o ). But... it seems to make sense!

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 2:44 pm
by AmyStephen
Just for the record - if someone reads this later and wonders what happened - Louis Landry explained it was a custom component never released to others (thankfully) that created this vulnerability. Joomla org did not use good system administration on the shop site and a failure to do so created a situation where the crack was allowed to spread to other sites on Joomla!' orgs servers.

This does not spread through Joomla! org helpsite XML files like the poster thought might be happening.

Thanks,
Amy :)

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 3:08 pm
by infograf768
@mmikeyy

Apologies, I have been testing 1.5 for ages and I have not remarked that the refresh button was looking for a new xml file on help.joomla until now. Thought it would load a new xml file downloaded manually.

I do consider this as a possible breach in security and will report it to devs.
Anyhow, as that file is located in administrator/languages/help and the folder is not supposed to be writable, a Warning should appear.

Thanks for the hint.

JM

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 3:25 pm
by mmikeyy
AmyStephen wrote:
This does not spread through Joomla! org helpsite XML files like the poster thought might be happening.

Thanks,
Amy :)
OK.. perhaps I'm wrong, but the xml file did get corrupted, it got corrupted each time I pressed the refresh button to update the language list to change the language in the configuration screen (which does download the list from joomla.org), and that stopped happening as soon as I commented out the lines that downloaded an up-to-date file from the joomla.org site.

The list is now updated correctly when one presses the refresh button. So it is true that nothing is spreading *now*. Perhaps the problem disappeared when the backups were restored on the joomla.org site.

Re: hack being spread everywhere from joomla.org through helpsites-15.xlm refres

Posted: Sun Aug 19, 2007 3:36 pm
by AmyStephen
mmikeyy wrote: The list is now updated correctly when one presses the refresh button. So it is true that nothing is spreading *now*. Perhaps the problem disappeared when the backups were restored on the joomla.org site.
Mike -

It sounds like you found a vulnerability - and that is very much appreciated. Infograf said he would communicate this.

It's important to clarify, though, that the subject "hack being spread everywhere from joomla.org through helpsites-15.xlm refresh" was not true. No one else's website was infected by Joomla! help files.

You did nothing wrong and coming forward with this information is good. I just didn't want anyone to panic unnecessarily.
Amy

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Posted: Sun Aug 19, 2007 4:08 pm
by infograf768
I changed the title of the thread to reflect the issue at stake.

Reported in Q&T http://forum.joomla.org/index.php/topic,203371.0.html

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Posted: Sun Aug 19, 2007 4:16 pm
by mmikeyy
AmyStephen wrote: It sounds like you found a vulnerability [...]

It's important to clarify, though, that the subject "hack being spread everywhere from joomla.org through helpsites-15.xlm refresh" was not true. No one else's website was infected by Joomla! help files.

[...]  I just didn't want anyone to panic unnecessarily.
Amy
Fine! I understand. The topic may have been exceeding alarming, especially after the problem ceased to exist (before that, it's debatable I guess. People were one click away from being infected after all! And I was infected repeatedly before I could figure out how it happened). Sorry for having been so insistent. I just felt I had to keep replying because all the reactions I got sounded a little too much like "no, you are wrong". I was about to start doubting my mental faculties!  ???  Case closed!

Best regards,  :)

Re: hack could spread from help. joomla.org through helpsites-15.xlm refresh

Posted: Sun Aug 19, 2007 4:50 pm
by AmyStephen
It's always difficult, isn't it? IMO, you did the right thing. Thanks, again, Mike,
Amy :)