Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
Elxis 5.5 Calypso supports 2 factor authentication login with e-mail or SMS.
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
Security Issue in Elxis too?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Security Issue in Elxis too? (Read 6999 times)
silas
Newbie
Posts: 27
Security Issue in Elxis too?
«
on:
January 15, 2008, 10:12:37 »
There is a security hole in all actual Versions of joomla/mambo
See here:
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=joomla;url=/newsticker/meldung/101671/;words=Joomla
(pardon, german only)
Is this Bug also in Elxis 2006.4 or in Elxis 2008dev. present?
Short description in english:
Using a "Cross-Site-Request-Forgery" it is possible to add an illegal SuperAdmin while viewing a special-prepared Website during Admin is logged in in Backend.
Logged
Ivan Trebješanin
Elxis Team
Hero Member
Posts: 1663
Re: Security Issue in Elxis too?
«
Reply #1 on:
January 15, 2008, 12:07:51 »
I don't think so. You may try with FF and use plugin Cookie Editor. But, you should be aware always. One of the first rules of webmastering: "...only insane security is decent security"
I addition, here's more reading (in english):
http://en.wikipedia.org/wiki/Cross-site_request_forgery#_note-0
Logged
I've got a snap in my finger...
Got rhythm in my walk...
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Security Issue in Elxis too?
«
Reply #2 on:
January 15, 2008, 12:22:48 »
CSRF is a threat only under this scenario (valid for any web application, not just Elxis):
You have logged in somewhere and you simultaneous browse another page with malicious javascript code build to trap you.
Never browse other sites or click on suspicious links while logged in in Elxis backend, or in your web banking account etc....
Always click the logout button!
These are some very basic rules for the secure usage of internet.
However I will see if we can hardening more Elxis against this specific CSRF attack. It is maybe a good idea to add a SoftDisk switch that will prevent admins creation or even users above the registered group. Or we can even add captcha images in back end too or we can ask for the your admin password if you want to add an other admin.
You can however prevent this specific attacK even on Elxis 2006 by being a little clever (ie add an extra users field that is hidden and required to be filled in - this wont work in front-end!).
«
Last Edit: January 15, 2008, 19:31:03 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Security Issue in Elxis too?
«
Reply #3 on:
January 15, 2008, 21:14:00 »
UPDATE: Several forms were patched against this security threat.
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
Print
Pages: [
1
]
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
Security Issue in Elxis too?