Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#15362] - Captcha is returning 403 error after deny running scripts inside writable directories

?
avatar nobicycle
nobicycle
18 Apr 2017

Steps to reproduce the issue

I encountered a 403 error code on nginx web server if I include the security clause below:

deny running scripts inside writable directories

location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}

By a process of elimination I discovered the access that captcha requires of the http server is php files in the images directory.

Expected result

No Error

Actual result

Captcha appears to require the ability to write php files to the images directory. The webserver throws a 403 when this is prevented.

System information (as much as possible)

Note: If I allow write php access to images, but remove all permissions on the images directory, change the owner and even rename it to something else, then captcha carries on working normally regardless!!!
Joomla 3.6.5
PHP 7.1.4
PHP 7.1.4 (fpm-fcgi)

Additional comments

I was told "the built-in captcha uses the joomla framework that is called in a separate file, other than joomla's index.php. That alone is not yet a security issue, as it still runs a "headless" joomla."
However I do not believe this behaviour is harmless. Someone may upload php into images. It is then feasible that a badly written plugin or malicious plugin could exploit this.

Captcha does not appear to need this access. Why is that?

avatar nobicycle nobicycle - open - 18 Apr 2017
avatar joomla-cms-bot joomla-cms-bot - labeled - 18 Apr 2017
avatar brianteeman
brianteeman - comment - 18 Apr 2017

Are you using the core Joomla captcha plugin?

I tested by completely disabling all access to the images folder for everything and as expected the captcha plugin worked as intended

avatar Fedik
Fedik - comment - 18 Apr 2017

Captcha appears to require the ability to write php files to the images directory

based on what you made this assumption? what request URL?

I guess it about some Captcha extension. The core Captcha plugin do no do it.

avatar zero-24 zero-24 - edited - 18 Apr 2017
avatar nobicycle
nobicycle - comment - 20 Apr 2017

@brianteeman @Fedik
Hi,
It is this captcha built into the second most popular extension in the JED:
http://www.phpcaptcha.org
I have made no assumption.
I am asking a general question: If php is allowed to be uploaded under the guise of an image (phpcaptcha.org requires this) is this a security issue for Joomla? Could a badly written or malicious plugin exploit this situation?
Regards

avatar brianteeman
brianteeman - comment - 20 Apr 2017

There is nothing in the core of joomla that will let you allow a php file under the guide of an image into the images folder. there is protection in place to prevent that from happening. However we cannot stop a badly written or malicious plugin from doing anything at all and we can also not stop a user changing something to disable the protecctions etc.

As the issue you are reporting is with an extension and not with the core captcha solution (not sure why you would even need an extension for something that is already present) I am closing this as not a core issue. Additionally if you feel there is a security issue with that extension you can report it to https://vel.joomla.org/

avatar brianteeman brianteeman - change - 20 Apr 2017
Title
CAPTCHA 403 error - SECURITY ISSUE?
Captcha is returning 403 error after deny running scripts inside writable directories
Status New Closed
Closed_Date 0000-00-00 00:00:00 2017-04-20 07:35:25
Closed_By brianteeman
avatar brianteeman brianteeman - close - 20 Apr 2017

Add a Comment

Login with GitHub to post a comment