Discussion: Guide to more secure Components/Modules/Plugins...

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Locked
User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Discussion: Guide to more secure Components/Modules/Plugins...

Post by brad » Fri Jul 21, 2006 4:29 am

Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

User avatar
trompete
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Thu Sep 01, 2005 11:19 pm
Location: Minneapolis, USA
Contact:

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by trompete » Fri Jul 21, 2006 5:05 am

Thank you. Thank you. Thank you.

I'll gradually be migrating the external entry points (RSS, cron jobs) of my 3rd-party components to the no_html syntax. Free time is the limiting factor for us 3PDs, of course.
Developer, bsq_sitestats module.
www.bs-squared.com

troyDoogle7
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Oct 12, 2005 5:16 pm

writing secure modules

Post by troyDoogle7 » Fri Aug 04, 2006 5:19 pm

I have just looked at one of the online guides that has the flollowing quote (listed below)  I need to know if I should put

include( $mosConfig_absolute_path . '/components/com_yourcomponent/yourcomponent.class.php' ); at the top of my module code (obviously referring to the module file name)


2. Secure your software against remote file inclusion
Now imagine, you have a line like this one in your code:
Code:

include( $mosConfig_absolute_path . '/components/com_yourcomponent/yourcomponent.class.php' );


Furthermore, imagine that a cracker tries to access your file as
Quote
http:/ /www.example.com/components/com_yourcomp ... te/bad.gif?
and actually sends back executable PHP code under the filename of that image. That code then is executed (assuming that register_globals is switched on in your webserver, which unfortunaltely is the case for many people) in your or your customers webserver with the permissions of the webserver. The attacker can do anything he wants to do (and what the webserver is allowed for) on your webserver! This is called remote file inclusion. Unfortunately, this is something even script kiddies can do easily.
There are also some more advanced technics out there that allow for remote file inclusion in some PHP versions even if you have switched register_globals off. Remote file inclusion only works on systems that have the PHP setting allow_url_fopen switched to on. But as this option is needed by many "good" programs as well, switching it off is not always a good idea.


friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: writing secure modules

Post by friesengeist » Fri Aug 04, 2006 5:28 pm

troyDoogle7 wrote: I have just looked at one of the online guides that has the flollowing quote (listed below)  I need to know if I should put

include( $mosConfig_absolute_path . '/components/com_yourcomponent/yourcomponent.class.php' ); at the top of my module code (obviously referring to the module file name)
Sorry, guess I don't understand your question fully. Do you need the class file in your module? Otherwise, you don't need that line. It's important to have this one:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Restricted access' );
That line needs to be on top of everything else. You must not use something like

Code: Select all

include( $mosConfig_absolute_path . '/components/com_yourcomponent/yourcomponent.class.php' );
at the top of your file. If you need it, put it after the "defined(...) or die(...)" statement.
We may not be able to control the wind, but we can always adjust our sails

troyDoogle7
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Oct 12, 2005 5:16 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by troyDoogle7 » Sat Aug 05, 2006 1:51 am

Hi thanks for answering.  Let me try to rephrase... I my english is not so great either!

In the article below it detials procedure to create a component.  I want to create a standalone module that I can add to the front page on the site. must I include this in the module header? 
include( $mosConfig_absolute_path . '/module/mod_yourmodulename/your module.php' );

( I am not creating a component, or working with a component. Its pureley a standalone module.)

Does taht make better sense?

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Sun Aug 06, 2006 2:17 pm

troyDoogle7 wrote: In the article below it detials procedure to create a component.  I want to create a standalone module that I can add to the front page on the site. must I include this in the module header? 
include( $mosConfig_absolute_path . '/module/mod_yourmodulename/your module.php' );

( I am not creating a component, or working with a component. Its pureley a standalone module.)
If you don't have any external files which you need in your module, you don't need that line. Your module itself will be called by Joomla! when published on the according page. You only need to include files that have external functions you need, e.g. in a component when you have separated a few functions into external files to keep the main file clean and short ;)
We may not be able to control the wind, but we can always adjust our sails

troyDoogle7
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Oct 12, 2005 5:16 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by troyDoogle7 » Sun Aug 06, 2006 3:15 pm

do image files count as an external file or only external php files.  The module has an image on it and some text description( its a signup for my newsletter module using oempro)

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Sun Aug 06, 2006 3:23 pm

troyDoogle7 wrote: do image files count as an external file or only external php files.  The module has an image on it and some text description( its a signup for my newsletter module using oempro)
All files which you include by using functions like: include, include_once, require, require_once...
But I guess you probably don't include an image like this, but rather show it by the html tag?
We may not be able to control the wind, but we can always adjust our sails

User avatar
josoroma
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Sun Sep 11, 2005 12:59 am

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by josoroma » Wed Aug 09, 2006 8:36 pm

I was reading a lot the post:
http://forum.joomla.org/index.php/topic,78781.0.html
This is the most perfect guide that i ever found about
developing with Joomla :)

But still I am a little lost with respect to:

#1
When is necesarry to use mosMakeHtmlSafe($row); in some component.html.php?
is it better than use $value = htmlspecialchars( $value ); ?

#2
For example, in some component class:

class myComponentClass {

    var $integer = ;
    var $string = ;
    var $array = ;
    var $boolean = ;
    var $date = ;
    ...

Which is the best way to initialize this types of variables?
Which is the best way to sanitize before SQL statements?

Any comment or help is welcome.
Thanx in advanced everybody.
----------------------------------------
Josoroma

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Wed Aug 09, 2006 10:08 pm

josoroma wrote: But still I am a little lost with respect to:

#1
When is necesarry to use mosMakeHtmlSafe($row); in some component.html.php?
is it better than use $value = htmlspecialchars( $value ); ?
If you have just a single variable (a string), then you should use htmlspecialchars().
mosMakeHtmlSafe() applies htmlspecialchars() to each variable of an object. Therefore you can use it best on objects, if you need to put most of the entries through htmlspecialchars() anyway.
josoroma wrote: #2
For example, in some component class:

class myComponentClass {

    var $integer = ;
    var $string = ;
    var $array = ;
    var $boolean = ;
    var $date = ;
    ...

Which is the best way to initialize this types of variables?
Which is the best way to sanitize before SQL statements?
Here is how I would initialize them:

Code: Select all

var $integer    = 0;
 var $string     = '';
 var $array      = null;
 var $boolean    = false;
 var $date	 = ???; // Depends: empty string for date in stringformat,
                        // null for a datetime object, 0 (integer) for unix timestamp.
If you have a class that extends mosDBTable, and if you just use $row->load, $row->bind, $row->store etc., you don't need to do any escaping by yourself, the mosDBTable class takes care of that.

If you do SQL queries by yourself, you need to escape every single variable which you use.
Let's assume you have string variable that comes in though mosGetParam( $_POST, 'my_var' ):

Code: Select all

$myVar = mosGetParam( $_POST, 'my_var' );
 /*
  * This is the important stuff: escape the string by the databases function.
  * addslashes is in some (rare) circumstances not enough. That's why we first call
  * stripslashes() (to get rid of the slashes from mosGetParam(), which automatically adds slashes)
  * and then call $databse->getEscaped();
  */
 $myVar = stripSlashes( $myVar );
 $myVar = $database->getEscaped( $myVar );
 $query = "SELECT * FROM #__table WHERE name = '$myVar'";
 $database->setQuery( $query ); // etc...
For intergers, it's enough to call intval() before you use the variable in a query:

Code: Select all

$myInt = intval( $myInt );
 $query = "SELECT * FROM #__table WHERE some_id = $myInt";
 $database->setQuery( $query ); // etc...
Does this answer your questions?
We may not be able to control the wind, but we can always adjust our sails

User avatar
josoroma
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Sun Sep 11, 2005 12:59 am

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by josoroma » Wed Aug 09, 2006 10:27 pm

friesengeist wrote: Does this answer your questions?
100% man!!!
Thanx
----------------------------------------
Josoroma

User avatar
josoroma
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Sun Sep 11, 2005 12:59 am

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by josoroma » Fri Aug 11, 2006 11:05 am

Now im losted with two new questions:

#1
Which are the basic rules to use and test SEF Advanced while a developer is creating a component or module?

#2
Which are the basic rules to use and test Cache while a developer is creating a component or module?


Thanks in advanced.
----------------------------------------
Josoroma

User avatar
Hummerbie
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Sun Jun 04, 2006 7:14 pm
Location: The Netherlands
Contact:

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by Hummerbie » Sat Aug 12, 2006 6:55 am

Mabye I missed something, but I can't find anything in the forum that requests or adviseses developers to NOT give a component version number in the frontend !!

It is now easy for a hacker/cracker to find out if the version you are running is vunerably ore not...its indexed in Google

So my request to developers is a simpel one to start with?

Please do'nt display a version number in the frontend, only in the back end....
Last edited by Hummerbie on Sat Aug 12, 2006 5:35 pm, edited 1 time in total.

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Sun Aug 13, 2006 4:15 pm

josoroma wrote: #1
Which are the basic rules to use and test SEF Advanced while a developer is creating a component or module?
Do you mean the 3PD component SEF Advanced, or the Joomla! core SEF?
For SEF Advanced, I have no clue. For the Joomla! core SEF, just use sefRelToAbs() instead of echoing out the URL directly. Nothing special I can think of here in terms of security.
josoroma wrote: #2
Which are the basic rules to use and test Cache while a developer is creating a component or module?
Make sure your extension works with both: cache on and off. Make sure to log in as different users and only display the appropriate content for the logged in user. This can be achieved by passing $my->gid (group id) to the caching function. If you don't do this, it could happen that a registered user creates a cached item, and a guest then sees the cached results, meaning the information for people with registered accounts.
We may not be able to control the wind, but we can always adjust our sails

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Sun Aug 13, 2006 4:21 pm

Hummerbie wrote: Mabye I missed something, but I can't find anything in the forum that requests or adviseses developers to NOT give a component version number in the frontend !!

It is now easy for a hacker/cracker to find out if the version you are running is vunerably ore not...its indexed in Google

So my request to developers is a simpel one to start with?

Please do'nt display a version number in the frontend, only in the back end....
Thanks very much for this hint, I will include it in the guide and the development wiki (as soon as time permits, might be a few days). You are absolutely right on this one, I just forgot about it. ;)
We may not be able to control the wind, but we can always adjust our sails

User avatar
anetus
Joomla! Intern
Joomla! Intern
Posts: 79
Joined: Fri Aug 19, 2005 5:50 am
Location: Los Angeles
Contact:

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by anetus » Tue Aug 29, 2006 2:27 pm

First - thank you friesengeist for great job putting together the guidelines !

Then question, to clearify:
if a component is secured against direct access (has defined( '_VALID_MOS' )  line at the beginning of each file)
then is it safe to use $mosConfig_absolute_path in includes ?

I know it's better to use constants (good practice as you said):

Code: Select all

define( 'YOURBASEPATH', dirname(__FILE__) );
require_once( YOURBASEPATH . '/file_to_include.php' );
but that works only for files in component's folder, doesn't it ?

Is there a way to use constants to refer to media folders, like /images/stories ?

cheers
Konrad

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Wed Aug 30, 2006 8:36 pm

anetus wrote: Then question, to clearify:
if a component is secured against direct access (has defined( '_VALID_MOS' )  line at the beginning of each file)
then is it safe to use $mosConfig_absolute_path in includes ?
For 1.0.x, this is common practice, and as long as $mosConfig_absolute_path does not become overwritten by e.g. some insecure SEF extensions, there is nothing wrong with that.
anetus wrote: I know it's better to use constants (good practice as you said):

Code: Select all

define( 'YOURBASEPATH', dirname(__FILE__) );
require_once( YOURBASEPATH . '/file_to_include.php' );
but that works only for files in component's folder, doesn't it ?

Is there a way to use constants to refer to media folders, like /images/stories ?
If you already have the base path of your Joomla! installation (J! 1.5 defines some path constants), then you can just use that. E.g.:

Code: Select all

include( JPATH_ROOT . DS . 'images' . DS . 'stories' . DS . 'file.php' );
For 1.0.x, this should work (not tested ;)):

Code: Select all

$parts = explode( DIRECTORY_SEPARATOR, dirname( __file__) );
 array_pop( $parts ); // assuming that you are in /componets/com_yourcomponent/xyz.php, this will strip
 array_pop( $parts ); // "/components" and "/com_yourcomponent" away from the path.
 define( 'YOURBASEPATH', implode( DIRECTORY_SEPARATOR, $parts ) );
 include( YOURBASEPATH . DS . 'images' . DS . 'stories' . DS . 'file.php' );
We may not be able to control the wind, but we can always adjust our sails

mookiha
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Sep 09, 2006 6:47 pm
Location: Hawaii, USA

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by mookiha » Sat Sep 09, 2006 8:10 pm

In your previous post...
Also, it is a bad practice to access variables like this (read resource [5.4] for more technical details):
Code:

Code: Select all

echo $GLOBALS['varname'];
You should rather use this:
Code:

Code: Select all

global $varname;
 echo $varname;
I see this throughout the Joomla core:

Code: Select all

require_once( $GLOBALS['mosConfig_absolute_path'] . '/administrator/includes/pageNavigation.php' );
Is that ok?

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by friesengeist » Sun Sep 10, 2006 9:48 am

mookiha wrote: In your previous post...
Also, it is a bad practice to access variables like this (read resource [5.4] for more technical details):
[...]
I see this throughout the Joomla core:

Code: Select all

require_once( $GLOBALS['mosConfig_absolute_path'] . '/administrator/includes/pageNavigation.php' );
Is that ok?
It's OK as long as the file is included by Joomla!. Joomla!'s globals.php takes care of all the security issues that were caused by PHP.
If you are running an up-to-date PHP version, you are safe anyway, the PHP hole was fixed (if I remember correctly) in 4.4.1 and 5.0.5.

The problem is, that under certain circumstances, a visitor was able to make $var and $GLOBALS['var'] a diffrent thing. So if you initialized a variable outside of a function as "$var = 'test';", and then inside of a function, you used it as $GLOBALS['var'], it could hold something different than 'test'.
We may not be able to control the wind, but we can always adjust our sails

peltia
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Sep 06, 2006 11:37 pm

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by peltia » Thu Sep 14, 2006 3:11 pm

Would it be more secure to use $_SERVER['DOCUMENT_ROOT'] instead of $mosConfig_absolute_path ?

User avatar
Dangerous Boy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 225
Joined: Mon Dec 26, 2005 6:25 pm
Location: Home

Not a constructive comment....

Post by Dangerous Boy » Mon Oct 02, 2006 4:16 am

woow! now I know why I can't get in to my JCE Configuration panel! grrrrrr!!! everytime I click on JCE Configuration I get a Alert Message Restricted Access and now I now why!... grrrrrrr!!!
Nothing for the moment....

User avatar
Jin597
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Thu Mar 23, 2006 5:39 am

Re: Discussion: Guide to more secure Components/Modules/Plugins...

Post by Jin597 » Mon Oct 02, 2006 5:42 am

So what was the solution for this?
If you learn by making mistakes, be sure to make lots... so you learn more ;)


Locked

Return to “3rd Party/Non Joomla! Security Issues”