[#7803] - Using Emoj you can bypass ALL required form validation requirements
- Closed
- 2 Sep 2015
- Medium
- Build: master
- # 7803
Not a release blocker - but should be fixed sometime...
To replicate go to a form that has required fields. Use an emoj like, um,
The form validation in JS passes.
The form validation in PHP passes.
The item is saved. With no value in the database, therefore effectively bypassing all validation of "required" fields
Isn't this what I fixed with the Emoji support PR?
I searched for Emoj (note missing i!) in Github and it returned no results - before I posted this. If you are referring to #7173 then that has a 3.5.0 milestone attached :-( and so has not been merged to 3.4.x.
Some have said that this issue is a security concern, and maybe this should be wiped from Github and escalated as a serious security issue? who knows...
Indeed I was referring to that and yes it's tagged for 3.5.0. It does solve the problem you are experiencing and it's actually the only way to do it.
I do maintain that Emoji support is actually a (low priority) security issue. I have not found a practical way to exploit it running arbitrary code as far as Joomla!'s default templates are concerned. In theory, a template with not-so-well-thought-out output and user defined fields too close together could be abused for an XSS attack.
(moderators feel free to delete this)
Thank you for the explanation. If required, then please discuss this topic at Glip in the Security Group.
We have a fix for 3.5 by @nikosdion. Issue closed!
| Title |
|
||||||
| Status | New | ⇒ | Closed | ||||
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-09-02 13:45:24 | ||||
| Closed_By | ⇒ | Kubik-Rubik | |||||
zero-24
-
indeed in testing the 3.5-dev branch - the
The reason I listed this on github is my sleepy brain could not think of a way to abuse that as a security issue - but its certainly an issue to fix (which #7173 has done in 3.5.x) so do we just ignore the fact a logged in editor can create unlimited blank articles? (or other places where validation is simply bypassed?)
I dont have all the answers - sorry
Glip in the Security Group. lol - if only everyone had Glip, and access to a security group :)
@PhilETaylor You can also write in one of the open groups. Thanks!
A google of "how to join joomla gilp" brings nothing helpful,... a link perhaps?
| Title |
|
||||||
| Labels |
Added:
?
|
||||||
Send me an email to thomas.hunziker@community.joomla.org and I invite you on the email you want ;)
I have glip but have never been invited to any groups
Bear
On 9/2/2015 08:46, Phil Taylor wrote:
|Glip in the Security Group.| lol - if only everyone had Glip, and
access to a security group :)—
Reply to this email directly or view it on GitHub
#7803 (comment).
I have glip but have never been invited to any groups
That is the case for most community members. There are public groups which you can join.
Some working groups (like the JSST) are closed groups.
If you're in a working group and not in the respective Glip group, please contact your group leader.
JBS hasn't a Glip group (yet) and still operates on Skype.
JBS hasn't a Glip group (yet) and still operates on Skype.
While that latter part is true, there is most definitely a JBS room on Glip. Or there's 50 people hanging out in a room with said title running a covert operation there. Hard to tell I guess 
Confirmed! For instance it is possible to save an article without a title.