User tests: Successful: 2 alikon, sandewt Unsuccessful: 0
Joomla 3.9.26 had last min security fixes added to it by the JSST
One of these security issues was not fixed in all places.
This commit 6c7b17c#diff-36647192855b2ef14c990918bb56b4da7ac2d012fece3b98f3090d95fcd3abe2R44 also needs to be made to the offline.php file.
Thanks to @C-Lodder for reporting.
Status | New | ⇒ | Pending |
Category | ⇒ | Front End Templates (site) |
Will this be fixed in the next version or will there be a new update package?
Not my decision. Just another sloppy JSST security fix :-(
Out of curiosity why is this a security problem or even a problem at all?
Template editing is allowed only from Super Users. Also, this field accepts only a URL path, so I find this extremely weird that a superuser decides to alter the logo and inject faulty code. Or it's just me...
Ask the @joomla/security JSST team. Im not part of that team. Im not privileged to see the original reports.
I know as much as everyone else - and that is its "Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages" as per https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html
@dgrammatiko I was about asking the same question myself. Don't we trust super users anymore ?
@PhilETaylor I'm not trying to blame you here, just to understand why this is treated as insecure
Edit also why there's no validator/sanitiser for media field: https://github.com/joomla/joomla-cms/tree/staging/libraries/src/Form/Rule
I have tested this item
Why has htmlspecialchars($this->params->get('sitetitle'))
(also line 82) no ENT_QUOTES
or ENT_COMPAT
?
In other places this is done in the Joomla code !
@sandewt your comment is unrelated to this PR.
ENT_COMPAT
is the default value of $flags
https://www.php.net/htmlspecialchars
@sandewt your comment is unrelated to this PR.
Right.
ENT_COMPAT is the default value of $flags https://www.php.net/htmlspecialchars
Of course supplemented with UTF8
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-04-16 07:52:42 |
Closed_By | ⇒ | rdeutz | |
Labels |
Added:
?
?
|
Will this be fixed in the next version or will there be a new update package? Of course, you can (for the time being) temporarily exchange relevant code.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.