Disable Joomla's SEARCH ABILITY or you will be HACKED !

[nnth]

Hello, everyone!

I don't know why but today, when I checked the Jommla's Search Code (Components and Modules), I've found that it didn't have any function to check the Input Data of users.

For example:

- Try to put in the search box 1 milion characters and do a search. Hey, imagine what will happen to your server? 
- Try to put in the search box a slash / and do a search. It will return any contents that  have a web address of your site.
...

I'm not sure the reason why or this issue is just a SECURITY BUG? Anyone helps me plz? 

[bluesaze]

Mmmm well I just tried it I dont think the server will crash but i guess its always better to have a check before searching. usually there should be a check to remove all funny chracters like & * @ % ' etc also the search term should be limited to 100 words or less

[nnth]

Hello, bluesaze!

I don't know if you test your server on localhost or in real site. But imagine if your site's curently having 1000 ative visitors, and haft of them are trying a milions search words at the same time.

By the way, "MAXLENGTH" in your SEARCH FORM is a good ideal but not enought. If some one try to save the search page, then edit the form method to "POST" and maxlength to "1 milion", he always can hack your server easily.

I think we should have some funtioncs (pregmatch, etc...) to check the User Input from the server!

[The West Wing]

Is this the case in Mambo too?  or is this unique to Joomla?

[Jinx]

This is not a security bug ! This is just another DOS (denial of service attack). It won't affect your Joomla installation, it will affect the server because your are flooding it with alot of information. There are alot of ways to create DOS attacks, the only thing they can do is keep your server busy or in a worst case take it offline.

Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.

Maybe u should just try a ping flood

[bluesaze]

Also, the form has a maxlenght of 20. U will need to go through alot of trouble to get that one million characters in.

Mmm your wrong there cos I was able to copy paste a really long string more than 1000

here the error I got

"Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long"

[ustler]

This is sort of both. Its sort of a hack, but at the same time its a DOS attack. The php code should only parse the first 30 characters. If its pulling all 1000, you might have a buffer overflow vulnerablity. Needless to say, its easy to bypass that HTML restriction for the maxlenght. Download paros and proxy through that and change the maxlenght 20 to 1000, IN REAL TIME.. Your server might have an option set that limits the POST data being submitted. The code should, do this:

Obtain Data
Parse out 20 characters -- If it has more than 20 characters, it should report error and die
Check 20 characters for special characters and remove them (things like: & * # <
Perform Mysql Query

Also, you can use MOD_Security for Apache if you wanted to do this without joomla. It takes ALOT of tweaking to get it to work, but eventually you can get it to filter input and output from predefined rules.. Ill look at the code later and submit a fix if needed. I dont use the search function in Joomla, so im ok

[Jinx]

Just put in a bug report and we will fix it in the next stability release.

[Talon]

It happened to me it REALLY DOES WORK I have pictures to prove it (One of the mods on the site just had to try it)

http://[spam].com/albums/v671/talo ... ATTACK.jpg

\

[Jinx]

Still not sure what u are trying to proof here. Add it as a bug to the tracker and we will fix it. Simple no ?

[nnth]

Hi all and thanks for helping me! 

I've already known that this issue is a sort of hack, and I post it here to announce to everyone, who wants his site to be more secure and more stable!

We should discuss the way to improve or to fix it. And if someone know the way to do that, share it!

I'm currently having a look on the code and if I find out how, i will post it here as soon as possible.

[stingrey]

This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.

Search will now only allow search terms between 3 - 20 characters.
We cannot exclude the characters you mention as they can be valid search terms in circumstances.


In future please report all/any bugs in the official tracker:
http://developer.joomla.org/sf/tracker/ ... acker.bugs
to ensure that it is correctly actioned.

[nnth]

It sounds good:) I will wait for 1.0.3. Thanks for hard work!

[bjtipton]

This issue has been fixed in SVN and will be available in 1.0.3 - which will be released shortly.

You guys rock.

[gulfcad]

Any possibility of incorporating input validation rules for the application? This would provide protection against most future attacks..a basic security programming technique these days.

[Jinx]

Joomla uses phpInputFilter for this. It is used to clean all input from malisicous code.

[gulfcad]

Hi,

That is good to hear. I am waiting for the security release 1.0.3 before installing on my site. I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product. I am hoping the developers are very careful with security. I would hate to implement a tool to save time only to be patching it every month. I know Mambo had a relatively good record compared to PHP-Nuke. I hope this improves even more with Joomla.

[stingrey]

I have signed up for the newsletter, but I was wondering if there was a separate security alert notification yet for the product.

All important information - including security alerts will be posted in the announcements forum which you subscribed to.