[#1133] - issues.joomla.org reveals a dump including passwords
- New
- Medium
- Build: master
- # 1133
Submitting a bug into issues.joomla.org reveals a dump of all variables available to PHP - i experienced it during submission of this bug: joomla/joomla-cms#35426
i.e.:
array(7) { [0]=> array(7) { ["file"]=> string(50) "/home/i...../src/App/Tracker/Model/IssueModel.php" ["line"]=> int(445) ["function"]=> string(8) "getState" ["class"]=> string(43) "JTracker\Model\AbstractTrackerDatabaseModel" ["object"]=> object(App\Tracker\Model\IssueModel)#313 (7) { ["context":protected]=> string(17) "com_tracker.issue" ["name":protected]=> string(5) "Issue" ["option":protected]=> string(7) "Tracker" ["table":protected]=> NULL ["project":"JTracker\Model\AbstractTrackerDatabaseModel":private]=> object(App\Projects\TrackerProject)#350 (13) { ["project_id":protected]=> int(1) ["title":protected]=> string(11) "Joomla! CMS" ["alias":protected]=> string(10) "joomla-..." ["gh_user":protected]=> string(6) "j....." ["gh_project":protected]=> string(10) "j.." ["gh_editbot_user":protected]=> string(14) "joomla..." ["gh_editbot_pass":protected]=> string(40) "b
possible test cases:
use sql escape character in the title
use code character (triple sql character in the message)
best regards, stan
It should not be security related as far as the accesses are properly configured per IP addresses.
SQL Injection - is a security issue.
Being able to generate dump containing credentials - is a security issue - regardless of if those credentials can be reused or not.
Ok, i apologize for posting it here, i always thought that the security team is for security bugs in joomla source code, not within the websites managed or hosted by joomla teams.
There indeed should be more checks with joomla websites:
- if there a dump going to happen it should be filtered by mod_security keywords so that it doesn't show sensitive information to users
- all passwords used on a site should be also protected by IP accesses
- i do not know if this is a SQL Injection as the dump didn't really say that
- reporting security issues with joomla hosted websites should be possibly mentioned separately as it was not clear to me at all
if there a dump going to happen it should be filtered by mod_security keywords so that it doesn't show sensitive information to users
mod_security is normally employed on incoming requests, not on responses where doing so is an unnecessary overhead most of the time.
all passwords used on a site should be also protected by IP accesses
You assume way too much.
reporting security issues with joomla hosted websites should be possibly mentioned separately as it was not clear to me at all
You were clearly told to read https://developer.joomla.org/security.html - which contains this extract:
The JSST operates with a limited scope and only directly responds to issues with the core Joomla! CMS and Framework, as well as processing reports regarding the *.joomla.org network of websites.
but you chose to delete that when you edited your post:
I have alerted the @joomla/security team of this issue.
ok, thank you and my apologies for not evaluating this properly
You should never have posted this on the tracker - just like the issue template told you, it should have been emailed direct to Joomla! Security Strike Team security@joomla.org