Weird Security issue considering custom build form module

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
1994_peter
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jan 30, 2018 5:42 pm

Weird Security issue considering custom build form module

Post by 1994_peter » Tue Jan 30, 2018 6:49 pm

Dear Fellow joomla devs,

Recently, a customer called that her information that she left in a applicant form was visible on another persons device, since . They were not registered, so both users were 'guests'.

The scenario was as follows:

1. User a (macOS) fills in a contact form (custom made)
2. User a submits form
3. User b (Windows) goes to same page
3. User b sees form with data of user A <---- security isssue

This cost my client a potential working candidate.

I cannot seem to reproduce the problem.

Does anyone know how this might have happened and how to prevent it???
My guess is that it has something to do with how Joomla caches content.. but I thought it didnt store formdata (especially not for guests)

Below is the current fpa..
I have updated after this happend to 3.8.4 and turned caching off (was on progressive).

Problem Description :: Forum Post Assistant (v1.3.9) : 30th January 2018 wrote:Security Issue with custom build form
Forum Post Assistant (v1.3.9) : 30th January 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.4-Stable (Amani) 30-January-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 2 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 0 | FrontEdit: 0 | Error Reporting: simple | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-896.16.1.lve1.4.49.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 40.20 GiB |

PHP Configuration :: Version: 7.0.27 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 32M | Max. Input Time: 40 | Max. Execution Time: 30 | Memory Limit: 512M

MySQL Configuration :: Version: 5.5.58-0ubuntu0.14.04.1 (Client:5.5.33) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 24.05 MiB | #of Tables:  94
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.27) | date (7.0.27) | libxml (7.0.27) | openssl (7.0.27) | pcre (7.0.27) | sqlite3 (7.0.27) | zlib (7.0.27) | bz2 (7.0.27) | calendar (7.0.27) | ctype (7.0.27) | curl (7.0.27) | hash (1.0) | filter (7.0.27) | ftp (7.0.27) | gettext (7.0.27) | gmp (7.0.27) | SPL (7.0.27) | iconv (7.0.27) | pcntl (7.0.27) | readline (7.0.27) | Reflection (7.0.27) | session (7.0.27) | standard (7.0.27) | shmop (7.0.27) | SimpleXML (7.0.27) | mbstring (7.0.27) | tokenizer (7.0.27) | xml (7.0.27) | cgi-fcgi () | dom (20031129) | fileinfo (1.0.5) | gd (7.0.27) | imap (7.0.27) | intl (1.1.0) | json (1.4.0) | exif (7.0.27) | mcrypt (7.0.27) | mysqli (7.0.27) | PDO (7.0.27) | pdo_dblib (7.0.27) | pdo_mysql (7.0.27) | pdo_sqlite (7.0.27) | Phar (2.0.2) | soap (7.0.27) | sockets (7.0.27) | wddx (7.0.27) | xmlreader (7.0.27) | xmlrpc (7.0.27) | xmlwriter (7.0.27) | xsl (7.0.27) | zip (1.13.5) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: components/com_k2/ (775) | components/com_vacancy/ (775) | components/com_vacancy/assets/ (775) | components/com_vacancy/assets/css/ (775) | components/com_vacancy/views/ (775) | components/com_vacancy/views/vacancy/ (775) | components/com_vacancy/views/vacancy/tmpl/ (775) | tmp/package/ (775) | upload/ (775) | usage/ (775) |
Database Information :: wrote:Database statistics :: Uptime: 6522631 | Threads: 2 | Questions: 1554078789 | Slow queries: 1144 | Opens: 4999021 | Flush tables: 33151 | Open tables: 2522 | Queries per second avg: 238.259 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.19) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.19) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.19) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.19) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.19) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.19) 1 | WF_LINK_SEARCH_TITLE (2.6.19) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.19) 1 | WF_POPUPS_WINDOW_TITLE (2.6.19) 1 | WF_STYLESELECT_TITLE (2.6.19) 1 | WF_AUTOSAVE_TITLE (2.6.19) 1 | WF_SOURCE_TITLE (2.6.19) 1 | WF_LAYER_TITLE (2.6.19) 1 | WF_PRINT_TITLE (2.6.19) 1 | WF_FULLSCREEN_TITLE (2.6.19) 1 | WF_FONTCOLOR_TITLE (2.6.19) 1 | WF_FONTSELECT_TITLE (2.6.19) 1 | WF_ANCHOR_TITLE (2.6.19) 1 | WF_ARTICLE_TITLE (2.6.19) 1 | WF_TEXTCASE_TITLE (2.6.19) 1 | WF_EMOTIONS_TITLE (2.6.19) 1 | WF_CLIPBOARD_TITLE (2.6.19) 1 | WF_STYLE_TITLE (2.6.19) 1 | WF_MEDIA_TITLE (2.6.19) 1 | WF_VISUALBLOCKS_TITLE (2.6.19) 1 | WF_KITCHENSINK_TITLE (2.6.19) 1 | WF_FORMATSELECT_TITLE (2.6.19) 1 | WF_XHTMLXTRAS_TITLE (2.6.19) 1 | WF_IMGMANAGER_TITLE (2.6.19) 1 | WF_NONBREAKING_TITLE (2.6.19) 1 | WF_DIRECTIONALITY_TITLE (2.6.19) 1 | WF_FONTSIZESELECT_TITLE (2.6.19) 1 | WF_LINK_TITLE (2.6.19) 1 | WF_CHARMAP_TITLE (2.6.19) 1 | WF_TABLE_TITLE (2.6.19) 1 | WF_BROWSER_TITLE (2.6.19) 1 | WF_CLEANUP_TITLE (2.6.19) 1 | WF_LISTS_TITLE (2.6.19) 1 | WF_CONTEXTMENU_TITLE (2.6.19) 1 | WF_INLINEPOPUPS_TITLE (2.6.19) 1 | WF_SEARCHREPLACE_TITLE (2.6.19) 1 | WF_SPELLCHECKER_TITLE (2.6.19) 1 | WF_PREVIEW_TITLE (2.6.19) 1 | WF_VISUALCHARS_TITLE (2.6.19) 1 | WF_HR_TITLE (2.6.19) 1 |
Components :: ADMIN :: com_categories (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_media (3.0.0) 1 | spambotcheck (1.0.1) 1 | com_config (3.0.0) 1 | com_search (3.0.0) 1 | COM_JCE (2.6.19) 1 | COM_EASYJOOMLABACKUP (3.2.4) 1 | JCH Optimize (5.2.2) 1 | com_associations (3.7.0) 1 | com_contenthistory (3.2.0) 1 | COM_VACANCY (0.1.1) 1 | com_ajax (3.2.0) 1 | com_checkin (3.0.0) 1 | com_installer (3.0.0) 1 | com_admin (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_modules (3.0.0) 1 | COM_TEAM (1.0.8) 1 | com_redirect (3.0.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_content (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | COM_K2 (2.8.0) 1 | mod_k2_comments (-) 1 | mod_k2_comments (-) 1 | com_users (3.0.0) 1 | Blank Component (3.0.0) 1 | com_cpanel (3.0.0) 1 | COM_PROJECT (0.0.15) 1 | com_templates (3.0.0) 1 | COM_JANTIVIRUS (5.3) 1 | com_messages (3.0.0) 1 | com_languages (3.0.0) 1 | com_menus (3.0.0) 1 | com_login (3.0.0) 1 | com_plugins (3.0.0) 1 | com_tags (3.1.0) 1 |

Modules :: SITE :: mod_articles_news (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | FavPromote (1.7) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | FavSlider Responsive Slideshow (1.7) 1 | mod_whosonline (3.0.0) 1 | FavSocial (1.5) 1 | mod_random_image (3.0.0) 1 | BT Login (2.6.4) 1 | mod_banners (3.0.0) 1 | K2 Tools (2.8.0) 1 | FavGlyph (1.4) 1 | mod_users_latest (3.0.0) 1 | Services Overview (1.0.0) 1 | FavImageHover (1.8) 1 | Team display (1.0.0) 1 | mod_articles_latest (3.0.0) 1 | K2 Content (2.8.0) 1 | FavTeam (1.1) 1 | mod_syndicate (3.0.0) 1 | K2 Comments (2.8.0) 1 | Bizkniz Twitter Feed Display (1.0) 1 | mod_languages (3.5.0) 1 | mod_tags_popular (3.1.0) 1 | mod_finder (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | K2 Users (2.8.0) 1 | Image met caption (1.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_login (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_footer (3.0.0) 1 | BT Google Maps (2.0.12) 1 | mod_feed (3.0.0) 1 | MetaMod (3.26) 1 | MetaMod (3.26) 1 | Video Banner (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_search (3.0.0) 1 | K2 User (2.8.0) 1 | Contact formulier (1.0.0) 1 | mod_menu (3.0.0) 1 | mod_stats (3.0.0) 1 |
Modules :: ADMIN :: mod_sampledata (3.8.0) 0 | K2 Quick Icons (admin) (2.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_jantivirus (2.5.0) 1 | K2 Stats (admin) (2.8.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_status (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_title (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_login (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_menu (3.0.0) 1 |


Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Tue Jan 30, 2018 7:19 pm, edited 2 times in total.
Reason: mod note: disabled smilies for readability

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3247
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Weird Security issue considering custom build form module

Post by ribo » Tue Jan 30, 2018 6:56 pm

Your security issue can come from permissions of your folders that you have them 775. All folders inside the root folder must be 755, files 644 and configuration.php 444 . Also be sure that your extensions and template are up to date and not vulnerable.
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3247
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Weird Security issue considering custom build form module

Post by ribo » Tue Jan 30, 2018 6:59 pm

Also i m not sure what happens to your custom form and if it is safe.
chat room spontes : http://www.spontes.com

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5501
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Weird Security issue considering custom build form module

Post by sozzled » Wed Jan 31, 2018 8:00 am

I agree with @ribo. Sounds to me like the custom form extension is not honouring (or using) the session handler properly. I would contact the developer of the custom contact form extension to ask for their opinion.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?


Post Reply

Return to “Security in Joomla! 3.x”