Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#14930] - com_fields media field allows hand crafted urls to PHP files.

?
avatar PhilETaylor
PhilETaylor
27 Mar 2017

Steps to reproduce the issue

Install joomla-cms/staging@1c52ed3

Create media field, only completing the required fields such as:

screen shot 2017-03-27 at 14 26 39

Go to front end and edit article - click select on the media field

Expected result

Nice model with a good look and feel and I should only be able to link to MEDIA (like an IMAGE!)

Actual result

I can scroll down and type into the Image URL text box anything I like, specifically I could add

../../../csrf.php

which would then render

<img src="/../../../csrf.php">

when the article is viewed.

Furthermore, I can enter an off server PHP file path like:

http://www.example.com/attack.php

which renders as

<img src="http://www.example.com/attack.php">

This could be used by anyone with frontend access to introduce security issues

System information (as much as possible)

https://gist.github.com/PhilETaylor/b1ff259a06518f903339950ca81e35d7

avatar PhilETaylor PhilETaylor - open - 27 Mar 2017
avatar joomla-cms-bot joomla-cms-bot - change - 27 Mar 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 27 Mar 2017
avatar brianteeman
brianteeman - comment - 27 Mar 2017

Closed here - see jsst - you shiould know better

avatar brianteeman brianteeman - change - 27 Mar 2017
Status New Closed
Closed_Date 0000-00-00 00:00:00 2017-03-27 13:50:55
Closed_By brianteeman
avatar brianteeman brianteeman - close - 27 Mar 2017
avatar PhilETaylor
PhilETaylor - comment - 27 Mar 2017

The code has not been released. We have discussed SEVERAL security issues with un released code in Github, especially in relation to com_fields.

There is no reason this cannot be discussed here.

avatar PhilETaylor PhilETaylor - edited - 27 Mar 2017
avatar brianteeman
brianteeman - comment - 27 Mar 2017

as stated before it is not new code

On 27 March 2017 at 14:53, Phil Taylor notifications@github.com wrote:

The code has not been released. We have discussed SEVERAL security issues
with un released code in Github, especially in relation to com_fields.

There is no reason this cannot be discussed here.


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#14930 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8TQA1OOrA9_xj1iY8etgMctupn8Dks5rp79pgaJpZM4MqSIR
.

--
Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
https://brian.teeman.net/ http://brian.teeman.net/

avatar PhilETaylor PhilETaylor - change - 27 Mar 2017
The description was changed
avatar PhilETaylor PhilETaylor - edited - 27 Mar 2017

Add a Comment

Login with GitHub to post a comment