Disable Joomla's SEARCH ABILITY or you will be HACKED !
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- nnth
- Joomla! Intern
- Posts: 58
- Joined: Thu Sep 22, 2005 12:27 am
- Contact:
Disable Joomla's SEARCH ABILITY or you will be HACKED !
Hello, everyone!
I don't know why but today, when I checked the Jommla's Search Code (Components and Modules), I've found that it didn't have any function to check the Input Data of users.
For example:
- Try to put in the search box 1 milion characters and do a search. Hey, imagine what will happen to your server?
- Try to put in the search box a slash / and do a search. It will return any contents that have a web address of your site.
...
I'm not sure the reason why or this issue is just a SECURITY BUG? Anyone helps me plz?
I don't know why but today, when I checked the Jommla's Search Code (Components and Modules), I've found that it didn't have any function to check the Input Data of users.
For example:
- Try to put in the search box 1 milion characters and do a search. Hey, imagine what will happen to your server?
- Try to put in the search box a slash / and do a search. It will return any contents that have a web address of your site.
...
I'm not sure the reason why or this issue is just a SECURITY BUG? Anyone helps me plz?
Last edited by nnth on Fri Oct 14, 2005 9:54 am, edited 1 time in total.
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
- bluesaze
- Joomla! Guru
- Posts: 750
- Joined: Mon Sep 05, 2005 6:18 am
- Location: India
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Mmmm well I just tried it I dont think the server will crash but i guess its always better to have a check before searching. usually there should be a check to remove all funny chracters like & * @ % ' etc also the search term should be limited to 100 words or less
- nnth
- Joomla! Intern
- Posts: 58
- Joined: Thu Sep 22, 2005 12:27 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Hello, bluesaze!
I don't know if you test your server on localhost or in real site. But imagine if your site's curently having 1000 ative visitors, and haft of them are trying a milions search words at the same time.
By the way, "MAXLENGTH" in your SEARCH FORM is a good ideal but not enought. If some one try to save the search page, then edit the form method to "POST" and maxlength to "1 milion", he always can hack your server easily.
I think we should have some funtioncs (pregmatch, etc...) to check the User Input from the server!
I don't know if you test your server on localhost or in real site. But imagine if your site's curently having 1000 ative visitors, and haft of them are trying a milions search words at the same time.
By the way, "MAXLENGTH" in your SEARCH FORM is a good ideal but not enought. If some one try to save the search page, then edit the form method to "POST" and maxlength to "1 milion", he always can hack your server easily.
I think we should have some funtioncs (pregmatch, etc...) to check the User Input from the server!
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
-
- Joomla! Apprentice
- Posts: 13
- Joined: Sat Oct 01, 2005 8:10 pm
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Is this the case in Mambo too? or is this unique to Joomla?
- Jinx
- Joomla! Champion
- Posts: 6508
- Joined: Fri Aug 12, 2005 12:47 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
This is not a security bug ! This is just another DOS (denial of service attack). It won't affect your Joomla installation, it will affect the server because your are flooding it with alot of information. There are alot of ways to create DOS attacks, the only thing they can do is keep your server busy or in a worst case take it offline.
Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.
Maybe u should just try a ping flood
Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.
Maybe u should just try a ping flood
Last edited by Jinx on Sun Oct 09, 2005 8:50 am, edited 1 time in total.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5
http://www.joomlatools.com - Joomla extensions that just work
http://www.joomlatools.com - Joomla extensions that just work
- bluesaze
- Joomla! Guru
- Posts: 750
- Joined: Mon Sep 05, 2005 6:18 am
- Location: India
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Mmm your wrong there cos I was able to copy paste a really long string more than 1000Jinx wrote: Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.
here the error I got
"Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.
request failed: URI too long"
Last edited by bluesaze on Sun Oct 09, 2005 10:58 am, edited 1 time in total.
-
- Joomla! Apprentice
- Posts: 47
- Joined: Sun Sep 11, 2005 10:42 pm
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
This is sort of both. Its sort of a hack, but at the same time its a DOS attack. The php code should only parse the first 30 characters. If its pulling all 1000, you might have a buffer overflow vulnerablity. Needless to say, its easy to bypass that HTML restriction for the maxlenght. Download paros and proxy through that and change the maxlenght 20 to 1000, IN REAL TIME.. Your server might have an option set that limits the POST data being submitted. The code should, do this:
Obtain Data
Parse out 20 characters -- If it has more than 20 characters, it should report error and die
Check 20 characters for special characters and remove them (things like: & * # <
Perform Mysql Query
Also, you can use MOD_Security for Apache if you wanted to do this without joomla. It takes ALOT of tweaking to get it to work, but eventually you can get it to filter input and output from predefined rules.. Ill look at the code later and submit a fix if needed. I dont use the search function in Joomla, so im ok
Obtain Data
Parse out 20 characters -- If it has more than 20 characters, it should report error and die
Check 20 characters for special characters and remove them (things like: & * # <
Perform Mysql Query
Also, you can use MOD_Security for Apache if you wanted to do this without joomla. It takes ALOT of tweaking to get it to work, but eventually you can get it to filter input and output from predefined rules.. Ill look at the code later and submit a fix if needed. I dont use the search function in Joomla, so im ok
- Jinx
- Joomla! Champion
- Posts: 6508
- Joined: Fri Aug 12, 2005 12:47 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Just put in a bug report and we will fix it in the next stability release.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5
http://www.joomlatools.com - Joomla extensions that just work
http://www.joomlatools.com - Joomla extensions that just work
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sun Oct 09, 2005 3:08 pm
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
It happened to me it REALLY DOES WORK I have pictures to prove it (One of the mods on the site just had to try it)
http://[spam].com/albums/v671/talo ... ATTACK.jpg
\
http://[spam].com/albums/v671/talo ... ATTACK.jpg
\
- Jinx
- Joomla! Champion
- Posts: 6508
- Joined: Fri Aug 12, 2005 12:47 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Still not sure what u are trying to proof here. Add it as a bug to the tracker and we will fix it. Simple no ?
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5
http://www.joomlatools.com - Joomla extensions that just work
http://www.joomlatools.com - Joomla extensions that just work
- nnth
- Joomla! Intern
- Posts: 58
- Joined: Thu Sep 22, 2005 12:27 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Hi all and thanks for helping me!
I've already known that this issue is a sort of hack, and I post it here to announce to everyone, who wants his site to be more secure and more stable!
We should discuss the way to improve or to fix it. And if someone know the way to do that, share it!
I'm currently having a look on the code and if I find out how, i will post it here as soon as possible.
I've already known that this issue is a sort of hack, and I post it here to announce to everyone, who wants his site to be more secure and more stable!
We should discuss the way to improve or to fix it. And if someone know the way to do that, share it!
I'm currently having a look on the code and if I find out how, i will post it here as soon as possible.
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.
Search will now only allow search terms between 3 - 20 characters.
We cannot exclude the characters you mention as they can be valid search terms in circumstances.
In future please report all/any bugs in the official tracker:
http://developer.joomla.org/sf/tracker/ ... acker.bugs
to ensure that it is correctly actioned.
Search will now only allow search terms between 3 - 20 characters.
We cannot exclude the characters you mention as they can be valid search terms in circumstances.
In future please report all/any bugs in the official tracker:
http://developer.joomla.org/sf/tracker/ ... acker.bugs
to ensure that it is correctly actioned.
Last edited by stingrey on Tue Oct 11, 2005 3:41 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- nnth
- Joomla! Intern
- Posts: 58
- Joined: Thu Sep 22, 2005 12:27 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
It sounds good:) I will wait for 1.0.3. Thanks for hard work!
JoomlArt.com
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
Joomla/Mambo Professional Templates Club
JoomLancers.com
Get Joomla projects done today ?
- bjtipton
- Joomla! Apprentice
- Posts: 12
- Joined: Mon Sep 12, 2005 7:51 pm
- Location: United States
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
You guys rock.stingrey wrote: This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.
Brian Tipton
Mambo User - Joomla Convert
Mambo User - Joomla Convert
-
- Joomla! Apprentice
- Posts: 36
- Joined: Thu Oct 13, 2005 5:58 pm
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Any possibility of incorporating input validation rules for the application? This would provide protection against most future attacks..a basic security programming technique these days.
- Jinx
- Joomla! Champion
- Posts: 6508
- Joined: Fri Aug 12, 2005 12:47 am
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Joomla uses phpInputFilter for this. It is used to clean all input from malisicous code.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5
http://www.joomlatools.com - Joomla extensions that just work
http://www.joomlatools.com - Joomla extensions that just work
-
- Joomla! Apprentice
- Posts: 36
- Joined: Thu Oct 13, 2005 5:58 pm
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
Hi,
That is good to hear. I am waiting for the security release 1.0.3 before installing on my site. I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product. I am hoping the developers are very careful with security. I would hate to implement a tool to save time only to be patching it every month. I know Mambo had a relatively good record compared to PHP-Nuke. I hope this improves even more with Joomla.
That is good to hear. I am waiting for the security release 1.0.3 before installing on my site. I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product. I am hoping the developers are very careful with security. I would hate to implement a tool to save time only to be patching it every month. I know Mambo had a relatively good record compared to PHP-Nuke. I hope this improves even more with Joomla.
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: Disable Joomla's SEARCH ABILITY or you will be HACKED !
All important information - including security alerts will be posted in the announcements forum which you subscribed to.gulfcad wrote: I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach