Joomla Bible Study

...components for the glory of God
Welcome, Guest
Please Login or Register.    Lost Password?

Security Patch
(1 viewing) (1) Guest
Go to bottomPage: 1
TOPIC: Security Patch
#1722
Security Patch 1 Month, 1 Week ago  
Is the security patch installed inthe latest 6.1.3 version?
Bill Wright
billcw
Junior Boarder
Posts: 20
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#1723
Re:Security Patch 1 Month, 1 Week ago  
You bet. In fact, 6.1.2 and 6.1.3 have additional security measures too. No need to apply the patch.
Tom
tmfuller
Administrator
Posts: 699
graph
User Online Now Click here to see the profile of this user
The administrator has disabled public write access.
"You shall know the truth and the truth shall set you free." JC
 
#1724
Re:Security Patch 1 Month, 1 Week ago  
Great! Thanks Tom.
Bill Wright
billcw
Junior Boarder
Posts: 20
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#1891
Re:Security Patch 3 Weeks, 1 Day ago  
Hi Tom. Can you give me some details on what the security fix targets. We're investigating why one of our sites that was using 6.011a with the security fix got hacked into.
Bill Wright
billcw
Junior Boarder
Posts: 20
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#1894
Re:Security Patch 3 Weeks, 1 Day ago  
Sure -

The problem was in how the task was collected from the user. The way the main controller was constructed based on models provided to developers in Joomla Developer sites.

This is the old code (ie: 6.0.11a):

Code:


// Require specific controller if requested
if($controller = JRequest::getVar('controller')) {
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}


// Create the controller
$classname = 'biblestudyController'.$controller;
$controller = new $classname( );

// Perform the Request task
$controller->execute( JRequest::getVar('task'));

// Redirect if set by the controller
$controller->redirect();



The getVar opened up to hackers who could use means to access information other than simply the controller's task.

The new code changes things in two ways:

Code:


// Require specific controller if requested
if ($controller = JRequest::getWord('controller')) {
$approvedControllers = array(
'studieslist',
'studydetails',
'serieslist',
'seriesdetail',
'teacherlist', 
'teacheredit', 
'teacherdisplay', 
'commentsedit', 
'commentslist', 
'landingpage', 
'mediafilesedit', 
'podcastedit', 
'studiesedit',
'landingpage'
);

if ( ! in_array($controller, $approvedControllers)) {
$controller = 'studieslist';

}



You can see that we first changed getVar to getWord, which in itself closed the security hole. Secondly we provide a list of known controllers for the component. If the input is anything other than one of these words then it will default to 'studieslist'.

Secondly, we also changed how the task is obtained:

Code:


$controller->execute( JRequest::getWord('task'));



Also removing the getVar and changing it to getWord.

Hope this helps. It's likely there are a lot of components out there with this in them as it was how we were taught close to initial release of Joomla 1.5.

By the way, the patch (available in the downloads section) should work for any version of com_biblestudy.

Tom
Tom
tmfuller
Administrator
Posts: 699
graph
User Online Now Click here to see the profile of this user
The administrator has disabled public write access.
"You shall know the truth and the truth shall set you free." JC
 
#1898
Re:Security Patch 3 Weeks, 1 Day ago  
That helps. Thank you Tom.
Bill Wright
billcw
Junior Boarder
Posts: 20
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
Moderators: Eugen, Darren Vandermyde, Kyle