Help! Dangerous File Inclusion issue...

[kitecloud]

Hello, everyone.

I got a security alert with "Dangerous File Inclusion" by using security software. It means that an attacker can take complete control of the dynamic include statement by supplying a malicious value for controller that causes the program to include a file from an external site. The report pointed out that the code in base file of componenet such as :

Code: Select all

require_once( JPATH_COMPONENT.DS.'controller.php' );
 
// Require specific controller if requested
if($controller = JRequest::getVar('controller')) {
    $path = JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php';
    if (file_exists($path)) {
        require_once $path;
    } else {
        $controller = '';
    }
}
 
// Create the controller
$classname    = 'DownloadController'.$controller;
$controller   = new $classname( );

But the code was that I copied from the Joomla hello world component. How could I fix this issue?

[lafrance]

Hello.

1. Run the forum post assistant and security tool

2. Ensure you have the latest version of Joomla. We recommend update manager

3. Review Vulnerable Extensions List

4. Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

5. Change all passwords and if possible user names for the website host control panel and your Joomla site.This include FTP,Cpanel etc.

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

7.to reset your admin password http://docs.joomla.org/How_do_you_recov ... assword%3F

8.http://forum.joomla.org/viewtopic.php?f=428&t=272481

[mandville]

Hello, everyone.
I got a security alert with "Dangerous File Inclusion" by using security software.

what security software, who made it, where did you get it from?

[jeffchannell]

Change this line:

Code: Select all

if($controller = JRequest::getVar('controller')) {

to

Code: Select all

if($controller = JRequest::getWord('controller')) {

[mandville]

jeff - does this need changing in the docs? eg as out of date etc?

[jeffchannell]

I would say so - using the posted code results in a local file include if the "controller" variable is sent using a relative path ending in a NUL byte:

Code: Select all

index.php?option=com_component&controller=../../../.htaccess%00

[mandville]

missread that as a NO for a minute!
ok - i have changed the code so that all functions now look not for the variables but the actual words. also changed the text to idicate its a word variable and not just a "variable"
can you double check for me.. (thinking in plesk atm) and think the view command may be messed up as its looking for the variables and not the words.. i have also marked it for tech review

[kitecloud]

OK. I will fix this issue and try again. Thank you very much!