Page 1 of 1

Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 6:12 am
by kitecloud
Hello, everyone.

I got a security alert with "Dangerous File Inclusion" by using security software. It means that an attacker can take complete control of the dynamic include statement by supplying a malicious value for controller that causes the program to include a file from an external site. The report pointed out that the code in base file of componenet such as :

Code: Select all

require_once( JPATH_COMPONENT.DS.'controller.php' );
 
// Require specific controller if requested
if($controller = JRequest::getVar('controller')) {
    $path = JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php';
    if (file_exists($path)) {
        require_once $path;
    } else {
        $controller = '';
    }
}
 
// Create the controller
$classname    = 'DownloadController'.$controller;
$controller   = new $classname( );


But the code was that I copied from the Joomla hello world component. How could I fix this issue? :(

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 6:39 am
by lafrance
Hello.

1. Run the forum post assistant and security tool

2. Ensure you have the latest version of Joomla. We recommend update manager

3. Review Vulnerable Extensions List

4. Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

5. Change all passwords and if possible user names for the website host control panel and your Joomla site.This include FTP,Cpanel etc.

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

7.to reset your admin password http://docs.joomla.org/How_do_you_recov ... assword%3F

8.viewtopic.php?f=428&t=272481

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 5:22 pm
by mandville
kitecloud wrote:Hello, everyone.
I got a security alert with "Dangerous File Inclusion" by using security software.


what security software, who made it, where did you get it from?

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 7:53 pm
by jeffchannell
Change this line:

Code: Select all

if($controller = JRequest::getVar('controller')) {

to

Code: Select all

if($controller = JRequest::getWord('controller')) {

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 8:00 pm
by mandville
jeff - does this need changing in the docs? eg as out of date etc?

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 8:11 pm
by jeffchannell
I would say so - using the posted code results in a local file include if the "controller" variable is sent using a relative path ending in a NUL byte:

Code: Select all

index.php?option=com_component&controller=../../../.htaccess%00

Re: Help! Dangerous File Inclusion issue...

Posted: Fri Feb 12, 2010 8:46 pm
by mandville
missread that as a NO for a minute!
ok - i have changed the code so that all functions now look not for the variables but the actual words. also changed the text to idicate its a word variable and not just a "variable"
can you double check for me.. (thinking in plesk atm) and think the view command may be messed up as its looking for the variables and not the words.. i have also marked it for tech review

Re: Help! Dangerous File Inclusion issue...

Posted: Tue Feb 23, 2010 10:09 am
by kitecloud
OK. I will fix this issue and try again. Thank you very much!