Elxis CMS Forum

General => News and announcements => Topic started by: datahell on September 01, 2010, 19:06:20

Title: Bug reports and fixes
Post by: datahell on September 01, 2010, 19:06:20
Bug report: August 29, 2010 by psiloscc on this post (https://forum.elxis.org/index.php?topic=5124.msg34797#msg34797).

Affects: For sure Elxis 2009.2, and maybe 2009.1 and prior versions.

Description of the bug: The "save" button does not get pressed in order to the set the access level of a content item.

Why this happens: The drop down select box has 2 ID attributes, the first one is wrong and should be deleted.

Solution: Open file includes/Core/elxis.php
Go to line 1364 (Elxis 2009.2)
Change this:
        if (!preg_match('/id\=/i', $x)) {
To this:
        if (!preg_match('/id\=/i', $tag_attribs)) {
Save the file, done!

Note: this fix has been applied on Elxis 2009.3
Title: Re: Bug reports and fixes
Post by: datahell on September 01, 2010, 19:24:32
Bug report: August 29, 2010 by psiloscc on this post (https://forum.elxis.org/index.php?topic=5124.msg34703#msg34703).

Affects: For sure Elxis 2009.2, 2009.1, 2009.0 and maybe 2008.x versions too.

Description of the bug: The navigation does not work properly on the view banner clients page in Elxis administration.

Why this happens: The value for the form's "task" parameter is empty.

Solution: Open file administrator/components/com_banners/admin.banners.html.php
Go to line 357 (Elxis 2009.2)
Change this:
<input type="hidden" name="task" value="" />
To this:
<input type="hidden" name="task" value="listclients" />
Save the file, done!

Note: this fix has been applied on Elxis 2009.3
Title: HTB22613 - SQL injection vulnerability in Elxis 2009.2
Post by: datahell on September 20, 2010, 18:53:46
Vulnerability report: September 20, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_elxis_cms.html).

Affects: Elxis 2009.2 electra rev2631 and probably prior versions

Description of the vulnerability: SQL injection vulnerability in Elxis CMS

Why this happens: sanitize user-supplied input in "id" variable

Solution:
Note: In order for the SQL injection to be successful the attacker must first gain access to the administration console. So an SQL injection like that from an non logged-in user could never be successful. Besides this here is how to fix this issue. This fix has already been applied to the upcoming version 2009.3.

file: administrator/components/com_content/admin.content.php
Change lines 25 and 26 from this:
$sectionid =mosGetParam( $_REQUEST, 'sectionid', 0 );
$id = mosGetParam($_REQUEST, 'id', '');
To this:
$sectionid = (int)mosGetParam( $_REQUEST, 'sectionid', 0 );
$id = (int)mosGetParam($_REQUEST, 'id', 0);
Title: HTB22614 - XSS vulnerability in Elxis 2009.2
Post by: datahell on September 20, 2010, 19:47:04
Vulnerability report: September 20, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms.html).

Affects: Elxis 2009.2 electra rev2631 and probably prior versions

Description of the vulnerability: XSS vulnerability in Elxis 2009.2

Why this happens: sanitize user-supplied input in "search" variable

Solution:
Note: In order for the XSS attack to be successful the site administrator must visit an external phishing web page while he is logged in in Elxis administration.
Advisory: never visit external pages and especially those that might contain harmful code (javascript) while you are logged-in in sensitive pages.

file: administrator/components/com_users/admin.users.php
Change lines 111 to 118 from this:
$filter_type   = $mainframe->getUserStateFromRequest("filter_type{$option}", 'filter_type', 0 );
$filter_logged   = $mainframe->getUserStateFromRequest("filter_logged{$option}", 'filter_logged', 0 );
$filter_enabled   = intval($mainframe->getUserStateFromRequest("filter_enabled{$option}", 'filter_enabled', -1));
$filter_expired   = intval($mainframe->getUserStateFromRequest("filter_expired{$option}", 'filter_expired', -1));
$limit       = $mainframe->getUserStateFromRequest("viewlistlimit", 'limit', $mainframe->getCfg('list_limit'));
$limitstart    = $mainframe->getUserStateFromRequest("view{$option}limitstart", 'limitstart', 0 );
$search       = $mainframe->getUserStateFromRequest("search{$option}", 'search', '' );
$search       = $database->getEscaped( eUTF::utf8_trim( eUTF::utf8_strtolower( $search ) ) );
To this:
$filter_type   =  $mainframe->makesafe(strip_tags($mainframe->getUserStateFromRequest("filter_type{$option}", 'filter_type', 0)));
$filter_logged   = intval($mainframe->getUserStateFromRequest("filter_logged{$option}", 'filter_logged', 0));
$filter_enabled   = intval($mainframe->getUserStateFromRequest("filter_enabled{$option}", 'filter_enabled', -1));
$filter_expired   = intval($mainframe->getUserStateFromRequest("filter_expired{$option}", 'filter_expired', -1));
$limit          = intval($mainframe->getUserStateFromRequest("viewlistlimit", 'limit', $mainframe->getCfg('list_limit')));
$limitstart    = intval($mainframe->getUserStateFromRequest("view{$option}limitstart", 'limitstart', 0));
$search       = $mainframe->makesafe(strip_tags($mainframe->getUserStateFromRequest("search{$option}", 'search', '')));
$search       = $database->getEscaped(eUTF::utf8_trim(eUTF::utf8_strtolower($search)));

Note: This fix has been applied on Elxis 2009.3
Title: HTB22615 - XSS vulnerability in Elxis CMS (contacts)
Post by: datahell on September 20, 2010, 20:39:33
Vulnerability report: September 20, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_contacts.html).

Affects: Elxis 2009.2 electra rev2631 and probably prior versions

Description of the vulnerability: XSS vulnerability in Elxis 2009.2 (component contacts)

Why this happens: sanitize user-supplied input in "misc" variable

Solution:
Note: In order for the XSS attack to be successful the site administrator must visit an external phishing web page while he is logged in in Elxis administration.
Advisory: never visit external pages and especially those that might contain harmful code (javascript) while you are logged-in in sensitive pages.

Apply the patch attached to this post.

Note: This fix has been applied on Elxis 2009.3

[attachment deleted by admin]
Title: HTB22616 - XSS vulnerability in Elxis CMS (component modules)
Post by: datahell on September 20, 2010, 22:12:38
Vulnerability report: September 20, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_polls_module.html).

Affects: Elxis 2009.2 electra rev2631 and probably prior versions

Description of the vulnerability: XSS vulnerability in Elxis 2009.2 (component modules)

Why this happens: sanitize user-supplied input in "title" variable

Solution:
Note: In order for the XSS attack to be successful the site administrator must visit an external phishing web page while he is logged in in Elxis administration.
Advisory: never visit external pages and especially those that might contain harmful code (javascript) while you are logged-in in sensitive pages.

Apply the patch attached to this post.

Note: This fix has been applied on Elxis 2009.3

[attachment deleted by admin]
Title: Saving user submitted content
Post by: datahell on September 21, 2010, 23:47:12
Bug report: September 21, 2010 by psiloscc on this post (https://forum.elxis.org/index.php?topic=5185.0).

Affects: Elxis 2009.2 and maybe prior versions too.

Description of the bug: You can not save the user submitted content items.

Why this happens: The table name has false written as elx_section instead of the correct one elx_sections.

Solution: Open file administrator/components/com_content/admin.content.php
Go to line 995 (Elxis 2009.2)
Change this:
$database->setQuery( "SELECT title FROM #__section WHERE ......
To this:
$database->setQuery( "SELECT title FROM #__sections WHERE ......
Save the file, done!

Note: this fix has been applied on Elxis 2009.3
Title: HTB22699 - SQL Injection in Elxis CMS (component polls)
Post by: datahell on November 16, 2010, 19:38:26
Vulnerability report: November 16, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/sql_injection_in_elxis_cms.html).

Affects: Elxis 2009.2, 2009.1 and probably prior versions

Description of the vulnerability: SQL injection vulnerability in Elxis 2009.2 (component polls)

Why this happens: sanitize HTTP_X_FORWARDED_FOR (can be spoofed)

Solution:
Update to Elxis 2009.3 or do the following:
Open file components/com_poll/poll.php
Find line 98:
   } else {
      $ipaddress = '';
   }

Add bellow:

if ($ipaddress != '') {
   if (preg_match("/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/", $ipaddress)) {
      $parts = preg_split('/\./',$ipaddress);
      foreach($parts as $ip_part) {
         if (intval($ip_part) > 255 || intval($ip_part) < 0) { $ipaddress = ''; break; }
      }
   } else {
      $ipaddress = '';
   }
}
Title: HTB22700 - SQL injection in Elxis CMS (core)
Post by: datahell on November 16, 2010, 20:01:27
Vulnerability report: November 16, 2010 by High-Tech Bridge on this page (http://www.htbridge.ch/advisory/sql_injection_in_elxis_cms_1.html).

Affects: Elxis 2009.2, 2009.1 and probably prior versions

Description of the vulnerability: SQL injection vulnerability in Elxis 2009.2 (core)

Why this happens: sanitize passoword cookie

Solution:
Update to Elxis 2009.3 or do the following:
Open file includes/Core/elxis.php
Find line 619:
$username = $this->_db->getEscaped($username);
Add bellow:
$passwd = $this->_db->getEscaped($passwd);
Title: eForum v1.1 - Arbitary File Upload vulnerability
Post by: datahell on April 07, 2011, 21:17:06
I received a vulnerability alert by QSecure and Demetris Papapetrou about eForum v1.1 but it was proved false. Besides this I modified eForum to strengthen its security even more. Since April 7, 2011 eForum listing on EDC (http://www.elxis-downloads.com/downloads/forums/255.html) is updated with this fix. 


Vulnerability report: April 7, 2011 by QSecure (http://www.qsecure.com.cy).

Affects: Eforum v1.1 downloaded before April 6 2011

Description of the vulnerability: eForum fails to properly filter dangerous file extensions during file upload (attachments to posts). An attacker can upload a file such as phtml and execute it later on.

Why this happens: eForum rejects some file extensions (php, dll, exe, etc) but not all. QSecure said that someone could upload a phtml file and execute it later. I replied them that this is wrong as eForum sets permissions 666 on uploaded files and so the uploaded files do not have permissions to be executed. So, this alert is totally wrong and eForum is secure without any patch.

Solution:
You don't need to do anything. If it makes you feel more secure re-download eForum and patch your existing installation by replacing the existing eforum.php file with the new downloaded one (file: components/com_eforum/eforum.php). In the newer version I reversed the file extension check. eForum now accepts only certain file types (jpg, jpeg, png, gif, wmv, avi, mov, flv, doc, docx, csv, xml, css, js, xls, rtf, ppt, odt, ods, txt, pdf, zip, tar, gz)
Title: XSS vulnerability report
Post by: datahell on November 23, 2011, 22:00:47
Vulnerability report: November 23, 2011 by DcLabs (http://www.dclabs.com.br/en/).

Affects: Elxis 2009.3 rev2681, 2009.2 and probably prior versions

Description of the vulnerability: Cross-Site Scripting (XSS)

Why this happens: Insufficient sanitization of REQUEST

Solution: Download an apply the attached patch package (suitable for both 2009.2/2009.3).
Note that Elxis 2009.3 Aphrodite was patched against this type of attack and you can download the updated package here (http://www.elxis-downloads.com/downloads/elxis-cms/325.html).
The new Elxis 2009.3 Aphrodite revision is 2684.
If you downloaded Elxis 2009.3 after November 23, 2011 you don't need to apply this patch.

[attachment deleted by admin]
Title: SQL injection vulnerability report
Post by: datahell on July 14, 2012, 11:08:09
Vulnerability report: July 14, 2012 by Jon Hounsell.

Severity: High

Affects: Elxis 2009.2, Elxis 2009.3 released before July 14 2012 (revision smaller than 2691), and most probably older Elxis versions 2009.1 and 2009.0

Description of the vulnerability: SQL injection vulnerability on Search Engines Friendly URLs analyse (file: includes/sef.php)

Why this happens: Insufficient sanitization of REQUEST_URI

Solution: Replace existing file includes/sef.php with the attached one.
Elxis release at elxis-downloads.com (http://www.elxis-downloads.com) was updated with this patch. Elxis 2009.3 Aphrodite rev2691 is safe against this threat.
Note: if you have custom rewrite rules on your own sef.php file you must also add them in the attached file. Else the SEF URLs restoration wont work for your custom components.

EDIT 16.07.2012: Due to a PHP bug on CLI the previous fix did not worked correctly on some servers. I updated the attached patch and the Elxis release with a fix which by-passes this problem.