Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#24040] - Tainted string in administrator/components/com_config/view/component/tmpl/default.php

?
avatar olleharstedt
olleharstedt
27 Feb 2019

Steps to reproduce the issue

Enable the PHP tainted string extension: http://php.net/manual/en/book.taint.php
Create a component, go to default action.

Expected result

No tainted string.

Actual result

Fatal error: main() [echo]: Attempt to echo a string that might be tainted in /var/www/joomla/administrator/components/com_config/view/component/tmpl/default.php on line 116

System information (as much as possible)

Latest Joomla.
PHP 7.2.

Additional comments

The view class is

/var/www/joomla/administrator/components/com_config/view/component/html.php

on line 79 we have

$this->return = JFactory::getApplication()->input->get('return', '', 'base64');

Whis is outputed in the view:

<input type="hidden" name="return" value="<?php echo $this->return; ?>" />

So this is not filtered in any way and could possibly be an entry for XSS attack.

avatar olleharstedt olleharstedt - open - 27 Feb 2019
avatar joomla-cms-bot joomla-cms-bot - change - 27 Feb 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 27 Feb 2019
avatar olleharstedt olleharstedt - change - 27 Feb 2019
The description was changed
avatar olleharstedt olleharstedt - edited - 27 Feb 2019
avatar olleharstedt olleharstedt - change - 27 Feb 2019
The description was changed
avatar olleharstedt olleharstedt - edited - 27 Feb 2019
avatar HLeithner
HLeithner - comment - 28 Feb 2019

Its filtered for base64
get('return', '', 'base64');

avatar olleharstedt
olleharstedt - comment - 28 Feb 2019

OK, I'll have to dig into the actual source code to check.

avatar akashbisht81
akashbisht81 - comment - 28 Feb 2019

This is HARD !

avatar ReLater
ReLater - comment - 28 Feb 2019

This is HARD !

Then:

"Security issues should NOT be reported on this repository.

If you believe you have found a security issue, please contact the Joomla Security Strike Team via email at security@joomla.org or through the contact form at https://developer.joomla.org/security/contact-the-team.html.

Please see https://developer.joomla.org/security.html for more information on how the Joomla project responds to security issues."

avatar mbabker mbabker - change - 28 Feb 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-02-28 18:31:44
Closed_By mbabker
avatar mbabker
mbabker - comment - 28 Feb 2019

Umm, that URL most definitely is not a 404.

Anyway, this is a false positive. A return URL is given as a value that is validated to match a base64 regex, and any use of base64 when fetching data from the input/filter APIs must be manually decoded by the caller. If the taint extension is reporting use of base64 in general as an issue, that is a concern for that extension's maintainer. Also, the odds of that extension being able to analyze Joomla's code to see that any call to JInput::get() unless you explicitly pass the raw filter is already being filtered/validated in some form are not going to be good.

Closing, not an issue.

avatar mbabker mbabker - close - 28 Feb 2019

Add a Comment

Login with GitHub to post a comment