<?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
fc338339
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jul 19, 2016 10:27 pm

<?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Post by fc338339 » Wed May 27, 2020 8:52 am

Dear Sir,

I have referred : https://docs.joomla.org/How_to_add_CSRF ... g_to_forms
and add <?php echo JHtml::_('form.token'); ?> at all form above the </form>

Part A: custom modules
I have created a module in English and duplicated into another two language. three module has same function but different in languages only. However being scanned by Acunetix scanner, only English version being scanned out "HTML form without CSRF protection " (image 1, 2 )

Part B: administrator>components>com_search
Again, I have add form.token and check.token as (image 3, 4 ) but still being reported that the "HTML Form without CSRF protection" by Acunetix Scanner

Since 100% of my projects is applying Joomla and all of them has to be scanned by Acunetix before launching, would you mind telling us how to solve Acunetix scanning report.

At least, let's create Joomla website without any "HTML form without CSRF protection"

Thanks indeed

Fion

Acunetix HTML form without CSRF protection :
CVSS2 :
Base Score: 2.6
Access Vector: Network_accessible Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined Availability Requirement: Not_defined Collateral Damage Potential: Not_defined Confidentiality Requirement: Not_defined Integrity Requirement: Not_defined Target Distribution: Not_defined
CVSS3 :
Base Score: 4.3
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality Impact: None Integrity Impact: Low Availability Impact: None
CWE : CWE-352
You do not have the required permissions to view the files attached to this post.

 
fc338339
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jul 19, 2016 10:27 pm

(URGENT) com_search Acunetix scan out NO CSRF Protection

Post by fc338339 » Sat May 30, 2020 9:08 am

Dear Sirs,

In order to have CSRF protection, I have added form.token
at administration > component > com_search > views > searches > tmpl > default.php as (image 3)
image_3_admin_comp_com_search__.png
MEANWHILE, we have added check.token
at administration > component > com_search >controllers > searches.php as (image 4)
image_4_admin_comp_com_search_check_token.png
HOWEVER, after Acunetix Scan for any vulnerabilities, we still got report on "HTML form without CSRF protection" as below (image 5) and link
https://ecib.hkitconsult.com/index.php/en/search-en
https://ecib.hkitconsult.com/index.php/hk/search-hk
https://ecib.hkitconsult.com/index.php/cn/search-cn
image_5_com_search_form.png

Would you mind telling us how to add CSRF protection on the com_search component

FURTHERMORE.
our website has 3 languages in English, Traditional Chinese and Sampled Chinese , we have tried to use a single search form under languages = All, but cannot search any Chinese words, therefore, we have created the com_search into 3 form as above link separately.

Is there any method to allow one search form (search box) can input different kinds of languages and still can be get result ?

Thanks indeed

Fion
You do not have the required permissions to view the files attached to this post.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26923
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: <?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Post by Per Yngve Berg » Sat May 30, 2020 11:25 am

1) Are you using Joomla version 3.9.18?

2) I don't follow you why you are checking files in administrator and then check the site Front-end?

3) Have you checked your template for overrides? Files in /templates/ja_property/html/
https://docs.joomla.org/How_to_override ... omla!_core

fc338339
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jul 19, 2016 10:27 pm

Re: <?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Post by fc338339 » Tue Jun 02, 2020 9:19 am

Dear Per Vngve Berg,

1. The website is using Joomla 3.9.15
2. Since we have to apply com_search in the front-end website, I have to add <?php echo JHtml::_('form.token'); ?> at the component com_search's default.php, which do not overrides by the ja_property because you can find the hidden input field generated by the form.token as below

<input type="hidden" name="ebe7887ca11512f749407f799240d8b8" value="1">

at front-end : https://ecib.hkitconsult.com/index.php/en/search-en

Therefore, please provide a solution to ensure these search form (link : https://ecib.hkitconsult.com/index.php/en/search-en) can have CSRF protection

I tried to use <form.token> but seem this time no use as still scanned out the issue by
Acunetix scanner.

Thanks indeed

Fion

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20118
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: <?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Post by leolam » Tue Jun 02, 2020 2:47 pm

fc338339 wrote:
Tue Jun 02, 2020 9:19 am
1. The website is using Joomla 3.9.15
That is an outdated version of Joomla, vulnerable and since that release we have many code changes and a lot of security fixes. Today Joomla 3.9.19 will be released so before expecting replies I strongly suggest to urgently upgrade your site and see if this resolves any issues. If not we can review your post again?

Keep your site ALWAYS up-to-date!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26923
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: <?php echo JHtml::_('form.token'); ?> Acunetix scan out no protection

Post by Per Yngve Berg » Sat Jun 20, 2020 12:01 pm

I have tested your site.

1) Entered " Hong Kong SAR Government " into the search. The search returned two matches.

2) Removed "<input type="hidden" name="ebe7887ca11512f749407f799240d8b8" value="1">" from the form and posted. The site returned invalid token.

This is working as intended.

 

Post Reply

Return to “Security in Joomla! 3.x”