The guestbook uses t
Posted: 03 Mar 2008, 14:31
The guestbook uses tinyMCE as editor and only relies on the input filtering the editor does.
By allowing JREQUEST_ALLOWRAW all malicious filtering that joomla offers is bypassed.
The content field has to be filtered though for malicious code. A simple exploit looks like this:
Disable javascript in the Browser. You get the plain text field instead of the tinyMCE where you can directly launch your attack.
Enter now some javascript code as you can find them here:
http://phpsec.org/projects/guide/2.html#2.3
A hot fix for this is to remove JREQUEST_ALLOWRAW at line 45 in controllers/phocaguestbook.php
$post['content'] = JRequest::getVar( 'content', '', 'post', 'string' /* , JRE
QUEST_ALLOWRAW */ );
As a consequence users cannot input any HTML formating at all anymore, so i also removed the tinyMCE by commenting out line 29 and 30 in views/phocaguestbook/view.html.php
//$document->addCustomTag(PhocaguestbookHelper::setTinyMCEJS());
//$document->addCustomTag(PhocaguestbookHelper::displaySimpleTinyMCEJS());
By allowing JREQUEST_ALLOWRAW all malicious filtering that joomla offers is bypassed.
The content field has to be filtered though for malicious code. A simple exploit looks like this:
Disable javascript in the Browser. You get the plain text field instead of the tinyMCE where you can directly launch your attack.
Enter now some javascript code as you can find them here:
http://phpsec.org/projects/guide/2.html#2.3
A hot fix for this is to remove JREQUEST_ALLOWRAW at line 45 in controllers/phocaguestbook.php
$post['content'] = JRequest::getVar( 'content', '', 'post', 'string' /* , JRE
QUEST_ALLOWRAW */ );
As a consequence users cannot input any HTML formating at all anymore, so i also removed the tinyMCE by commenting out line 29 and 30 in views/phocaguestbook/view.html.php
//$document->addCustomTag(PhocaguestbookHelper::setTinyMCEJS());
//$document->addCustomTag(PhocaguestbookHelper::displaySimpleTinyMCEJS());