Local File Inclusion Exploit - how to stop

Replies to This Discussion

Permalink Reply by Tom Fuller on January 4, 2010 at 5:24pm

I sent out an urgent newsletter to our nearly 800 subscribers with the update. Tweeting is a good idea, though. I should start one for our component.

Thanks!

Permalink Reply by C O'Shea on January 4, 2010 at 5:45pm

i see one has already gone out. there usually is after the vulnerable list updates it may not be clear enough but a twitter for your site might be an idea.. if you have regular news

Permalink Reply by Tom Fuller on January 4, 2010 at 5:53pm

Such a great idea that I already created a feed and put a link on our website www.JoomlaBibleStudy.org. I sure hope this fix does the trick.

Permalink Reply by Tom Fuller on January 5, 2010 at 9:48am

Thanks, Nicholas. Say - how do you get/use Eclipse PDT?

I think I am also going to follow the recommendation of an earlier post to take it one step further and have a list of "approved" controllers and make the getWord or getCmd entry match one of those names.

Oddly, the only views in my component that were at risk were those with a controller containing a require_once file reference, even though the ..\ attack didn't include that file reference.

Permalink Reply by Amy Stephen on January 5, 2010 at 12:14pm

Tom - the last post in the Joomla Project thread has helpful links for setting up Eclipse.

Permalink Reply by Tom Fuller on January 5, 2010 at 12:23pm

Thanks, Amy!

I tried some various things to "harden" the main entry point a little further. I KNOW this isn't the best way, but it does work. Let me know the REAL way I should do this:

// Require the base controller
require_once (JPATH_COMPONENT.DS.'controller.php');


// Require specific controller if requested
if($controller = JRequest::getWord('controller'))
{
if ($controller == 'studielist' || $controller == 'studydetails' || $controller == 'serieslist' || $controller == 'seriesdetail'
|| $controller == 'teacherlist' || $controller == 'teacheredit' || $controller == 'teacherdisplay' || $controller == 'commentsedit'
|| $controller == 'commentslist' || $controller == 'landingpage' || $controller == 'mediafilesedit' || $controller == 'podcastedit'
|| $controller == 'studiesedit')
{
$controller = $controller;

}
else
{
$controller = 'studieslist';
}
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}


// Create the controller
$classname = 'biblestudyController'.$controller;
$controller = new $classname( );

// Perform the Request task
$controller->execute( JRequest::getWord('task'));

// Redirect if set by the controller
$controller->redirect();

Permalink Reply by Oleg Nesterov on January 8, 2010 at 3:23pm

As was previously mentioned here, the correct usage of the request filters will save you from being hacked:

if ($controller = JRequest::getWord('controller')) {
$path = JPATH_COMPONENT . DS . 'controllers' . DS . $controller . '.php';
if ( ! file_exists($path)) {
$controller = 'studieslist';
}

require_once JPATH_COMPONENT . DS . 'controllers' . DS . $controller . '.php';
}

Your solution with "approved" controllers is good too. One obvious drawback is that you need to change this list every time you add or change controllers. Here is my optimized version of it:

if ($controller = JRequest::getWord('controller')) {
$approvedControllers = array(
'studielist',
'studydetails',
'serieslist',

// to be continued...
);

if ( ! in_array($controller, $approvedControllers)) {
$controller = 'studieslist';
}

require_once JPATH_COMPONENT . DS . 'controllers' . DS . $controller . '.php';
}

You can also move the approved list of controllers to some configuration file and include it here before checks.

Hope this helps.

Permalink Reply by Tom Fuller on January 8, 2010 at 4:03pm

That's a great addition to the code. I adopted those changes - and I like the idea of a separate file for the controller array.

Tom

• ‹ Previous
• 1
• 2
• Next ›
• Page