Elxis CMS Forum
Support => Security => Topic started by: silas on January 15, 2008, 10:12:37
-
There is a security hole in all actual Versions of joomla/mambo
See here: http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=joomla;url=/newsticker/meldung/101671/;words=Joomla (http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=joomla;url=/newsticker/meldung/101671/;words=Joomla) (pardon, german only)
Is this Bug also in Elxis 2006.4 or in Elxis 2008dev. present?
Short description in english:
Using a "Cross-Site-Request-Forgery" it is possible to add an illegal SuperAdmin while viewing a special-prepared Website during Admin is logged in in Backend.
-
I don't think so. You may try with FF and use plugin Cookie Editor. But, you should be aware always. One of the first rules of webmastering: "...only insane security is decent security" ;)
I addition, here's more reading (in english): http://en.wikipedia.org/wiki/Cross-site_request_forgery#_note-0
-
CSRF is a threat only under this scenario (valid for any web application, not just Elxis):
You have logged in somewhere and you simultaneous browse another page with malicious javascript code build to trap you.
Never browse other sites or click on suspicious links while logged in in Elxis backend, or in your web banking account etc....
Always click the logout button!
These are some very basic rules for the secure usage of internet.
However I will see if we can hardening more Elxis against this specific CSRF attack. It is maybe a good idea to add a SoftDisk switch that will prevent admins creation or even users above the registered group. Or we can even add captcha images in back end too or we can ask for the your admin password if you want to add an other admin.
You can however prevent this specific attacK even on Elxis 2006 by being a little clever (ie add an extra users field that is hidden and required to be filled in - this wont work in front-end!).
-
UPDATE: Several forms were patched against this security threat.