Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#4082] - JRoute::_() $ssl parameter doesn't work with "1" passed as string

? Success

User tests: Successful: Unsuccessful:

avatar nikosdion
nikosdion
7 Aug 2014

Executive summary

See Joomla! forum post on SSL issues with Joomla! 3.1 The same issue was verified by my client Ryan H. who has also confirmed the fix. Due to the way mod_login works when you have an HTTPS site and enabled mod_login's "Encrypt login form" most browsers will refuse to proceed (posting to unencrypted page from an encrypted page) and those which do allow you to proceed land you in potentially hot water as it's now possible for an intruder to perform a man-in-the-middle attack, completely negating the benefits of using HTTPS on your site. Furthermore, it's a low security issue of its own right as an HTTP site with optional HTTPS and mod_login's "Encrypt login form" set to Yes will result in the form being posted to an unencrypted (HTTP) URL, leaving the login form open to man-in-the-middle attacks.

Technical Explanation

JRoute::_() has a third parameter $ssl which determines how JRoute should handle the resulting URL's protocol. 1 forces HTTPS, 2 forces HTTP and 0 leaves the protocol as it is. However, it doesn't recognise "1" passed as a string parameter. Coincidentally, mod_login passes this parameter as string when you set "Encrypt login form" to Yes. Due to this discrepancy in the code, if you have an HTTPS site and set mod_login's "Encrypt login form" to Yes then JRoute tries to submit the login form to the unencrypted (HTTP) site as $ssl === 1 returns false, making JRoute treat the parameter as if it were 2 (force unencrypted). Big whoops!

avatar nikosdion nikosdion - open - 7 Aug 2014
avatar jissues-bot jissues-bot - change - 7 Aug 2014
Labels Added: ? ?
avatar phproberto phproberto - change - 7 Aug 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-08-07 22:37:14
avatar phproberto phproberto - close - 7 Aug 2014
avatar phproberto
phproberto - comment - 7 Aug 2014

Merged as it's a simple change that would take months to get tested.

Thanks Nicholas!

avatar YeeP79
YeeP79 - comment - 16 Aug 2014

This is Ryan, Nicholas asked me to confirm the fix. One of my sites did have the problem which was causing warning messages to come to screen (created by the browser itself) saying that the login was not secure. I replaced the line of code Nicholas reccomended and the problem is fixed. I will check back to see if you guys post which release this will be in. Until that I will count on updating the code manaully after a Joomla! update install.

Thank you Nicholas, I really appreciate your help.

avatar Bakual
Bakual - comment - 16 Aug 2014

It was already merged a week ago and will be in the next release, likely Joomla 3.3.4.

Add a Comment

Login with GitHub to post a comment