Report on found vulnerabilities · 2 The report on detected vulnerabilities FILES File name Files...
Transcript of Report on found vulnerabilities · 2 The report on detected vulnerabilities FILES File name Files...
Report on found vulnerabilities
Reporting period: 30.06.2016 - 01.07.2016Scanned files: 5128Files by language:
PHP 2474JavaScript 583Transact-SQL 170
2 The report on detected vulnerabilities FILES
File name Files Lines Vulnerabilities by severity
Joomla_3.5.1-Stable-Full_Package.zipMD5: 5a441bf534d2c4a631e590ef1b2a1491
5128 656814 High = 0Medium = 54 Low = 42
2 The report on detected vulnerabilities CHARTS
4 The report on detected vulnerabilities FILES
JavaScript: Using Insufficiently Random Generators in CryptographySeverity: lowLanguage: JavaScriptShort description: Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.Full description: https://localhost:443/scanner/article?articleName=/en/JavaScript/CryptoInsecureRandomness.html
Found Vulnerabilities:File name: media/media/js/mediaelement-and-player.jsCode:
5693 5694 var rendered = items[i].render(t);5695 5696 // render can return null if the item doesn't need to be used at the moment5697 if (rendered != null) {5698 html += '<div class="mejs-contextmenu-item" data-itemindex="' + i + '" id="element-' + (Math.random()*1000000) + '">' + rendered + '</div>';5699 }5700 }5701 }5702 5703 // position and show the context menu
File name: media/system/js/mootools-core-uncompressed.jsCode:
307}.hide();308309// Number.random310311Number.extend('random', function(min, max){312 return Math.floor(Math.random() * (max - min + 1) + min);313});314315// forEach, each316317var hasOwnProperty = Object.prototype.hasOwnProperty;
File name: media/system/js/mootools-core.jsCode:
3a.prototype.overloadGetter=function(b){var a=this;return function(c){var h,k;"string"!=typeof c?h=c:1<arguments.length?h=arguments:b&&(h=[c]);if(h){k={};for(var e=0;e<h.length;e++)k[h[e]]=a.call(this,h[e])}else k=a.call(this,c);return k}};a.prototype.extend=function(b,a){this[b]=a}.overloadSetter();a.prototype.implement=function(b,a){this.prototype[b]=a}.overloadSetter();var e=Array.prototype.slice;a.from=function(a){return"function"==b(a)?a:function(){return a}};Array.from=function(a){return null==4a?[]:f.isEnumerable(a)&&"string"!=typeof a?"array"==b(a)?a:e.call(a):[a]};Number.from=function(b){b=parseFloat(b);return isFinite(b)?b:null};String.from=function(b){return b+""};a.implement({hide:function(){this.$hidden=!0;return this},protect:function(){this.$protected=!0;return this}});var f=this.Type=function(a,c){if(a){var h=a.toLowerCase();f["is"+a]=function(a){return b(a)==h};null!=c&&(c.prototype.$family=function(){return h}.hide())}if(null==c)return null;c.extend(this);c.$constructor=f;return c.prototype.$constructor=5c},g=Object.prototype.toString;f.isEnumerable=function(b){return null!
5 The report on detected vulnerabilities FILES
=b&&"number"==typeof b.length&&"[object Function]"!=g.call(b)};var i={},j=function(a){a=b(a.prototype);return i[a]||(i[a]=[])},m=function(a,c){if(!c||!c.$hidden){for(var k=j(this),d=0;d<k.length;d++){var o=k[d];"type"==b(o)?m.call(o,a,c):o.call(this,a,c)}k=this.prototype[a];if(null==k||!k.$protected)this.prototype[a]=c;null==this[a]&&"function"==b(c)&&h.call(this,a,function(b){return c.apply(b,e.call(arguments,1))})}},h=function(b,6a){if(!a||!a.$hidden){var c=this[b];if(null==c||!c.$protected)this[b]=a}};f.implement({implement:m.overloadSetter(),extend:h.overloadSetter(),alias:function(b,a){m.call(this,b,this.prototype[a])}.overloadSetter(),mirror:function(b){j(this).push(b);return this}});new f("Type",f);var k=function(b,a,c){var h=a!=Object,e=a.prototype;h&&(a=new f(b,a));for(var b=0,d=c.length;b<d;b++){var o=c[b],q=a[o],g=e[o];q&&q.protect();h&&g&&a.implement(o,g.protect())}if(h){var j=e.propertyIsEnumerable(c[0]);a.forEachMethod=7function(b){if(!j)for(var a=0,h=c.length;a<h;a++)b.call(e,e[c[a]],c[a]);for(var k in e)b.call(e,e[k],k)}}return k};k("String",String,"charAt,charCodeAt,concat,indexOf,lastIndexOf,match,quote,replace,search,slice,split,substr,substring,trim,toLowerCase,toUpperCase".split(","))("Array",Array,"pop,push,reverse,shift,sort,splice,unshift,concat,join,slice,indexOf,lastIndexOf,filter,forEach,every,map,some,reduce,reduceRight".split(","))("Number",Number,["toExponential","toFixed","toLocaleString","toPrecision"])("Function",8a,["apply","call","bind"])("RegExp",RegExp,["exec","test"])("Object",Object,"create,defineProperty,defineProperties,keys,getPrototypeOf,getOwnPropertyDescriptor,getOwnPropertyNames,preventExtensions,isExtensible,seal,isSealed,freeze,isFrozen".split(","))("Date",Date,["now"]);Object.extend=h.overloadSetter();Date.extend("now",function(){return+new Date});new f("Boolean",Boolean);Number.prototype.$family=function(){return isFinite(this)?"number":"null"}.hide();Number.extend("random",function(b,a){return Math.floor(Math.random()*9(a-b+1)+b)});var o=Object.prototype.hasOwnProperty;Object.extend("forEach",function(b,a,c){for(var h in b)o.call(b,h)&&a.call(c,b[h],h,b)});Object.each=Object.forEach;Array.implement({forEach:function(b,a){for(var c=0,h=this.length;c<h;c++)c in this&&b.call(a,this[c],c,this)},each:function(b,a){Array.forEach(this,b,a);return this}});var q=function(a){switch(b(a)){case "array":return a.clone();case "object":return Object.clone(a);default:return a}};Array.implement("clone",function(){for(var b=this.length,10a=Array(b);b--;)a[b]=q(this[b]);return a});var u=function(a,c,h){switch(b(h)){case "object":"object"==b(a[c])?Object.merge(a[c],h):a[c]=Object.clone(h);break;case "array":a[c]=h.clone();break;default:a[c]=h}return a};Object.extend({merge:function(a,c,h){if("string"==b(c))return u(a,c,h);for(var k=1,e=arguments.length;k<e;k++){var d=arguments[k],o;for(o in d)u(a,o,d[o])}return a},clone:function(b){var a={},c;for(c in b)a[c]=q(b[c]);return a},append:function(b){for(var a=1,c=arguments.length;a<c;a++){var h=11arguments[a]||{},k;for(k in h)b[k]=h[k]}return b}});["Object","WhiteSpace","TextNode","Collection","Arguments"].each(function(b){new f(b)});var r=Date.now();String.extend("uniqueID",function(){return(r++).toString(36)})})();12Array.implement({every:function(b,a){for(var c=0,d=this.length>>>0;c<d;c++)if(c in this&&!b.call(a,this[c],c,this))return!1;return!0},filter:function(b,a){for(var c=[],d,e=0,f=this.length>>>0;e<f;e++)e in this&&(d=this[e],b.call(a,d,e,this)&&c.push(d));return c},indexOf:function(b,a){for(var c=this.length>>>0,d=0>a?Math.max(0,c+a):a||0;d<c;d++)if(this[d]===b)return d;return-1},map:function(b,a){for(var c=this.length>>>0,d=Array(c),e=0;e<c;e++)e in this&&(d[e]=b.call(a,this[e],e,this));return d},some:function(b,13a){for(var c=0,d=this.length>>>0;c<d;c++)if(c in this&&b.call(a,this[c],c,this))return!0;return!1},clean:function(){return this.filter(function(b){return null!=b})},invoke:function(b){var a=Array.slice(arguments,1);return this.map(function(c){return c[b].apply(c,a)})},associate:function(b){for(var a={},c=Math.min(this.length,b.length),d=0;d<c;d++)a[b[d]]=this[d];return a},link:function(b){for(var a={},c=0,d=this.length;c<d;c++)for(var e in b)if(b[e](this[c])){a[e]=this[c];delete b[e];break}return a},
File name: media/system/js/mootools-more-uncompressed.jsCode:
434 return [].combine(this);435 },436437 shuffle: function(){438 for (var i = this.length; i && --i;){439 var temp = this[i], r = Math.floor(Math.random() * ( i + 1 ));440 this[i] = this[r];
6 The report on detected vulnerabilities FILES
441 this[r] = temp;442 }443 return this;444 },
File name: media/system/js/mootools-more.jsCode:
28};};Class.Occlude=new Class({occlude:function(c,b){b=document.id(b||this.element);var a=b.retrieve(c||this.property);if(a&&!this.occluded){return(this.occluded=a);29}this.occluded=false;b.store(c||this.property,this);return this.occluded;}});(function(){var a={wait:function(b){return this.chain(function(){this.callChain.delay(b==null?500:b,this);30return this;}.bind(this));}};Chain.implement(a);if(this.Fx){Fx.implement(a);}if(this.Element&&Element.implement&&this.Fx){Element.implement({chains:function(b){Array.from(b||["tween","morph","reveal"]).each(function(c){c=this.get(c);31if(!c){return;}c.setOptions({link:"chain"});},this);return this;},pauseFx:function(c,b){this.chains(b).get(b||"tween").wait(c);return this;}});}})();(function(a){Array.implement({min:function(){return Math.min.apply(null,this);32},max:function(){return Math.max.apply(null,this);},average:function(){return this.length?this.sum()/this.length:0;},sum:function(){var b=0,c=this.length;33if(c){while(c--){b+=this[c];}}return b;},unique:function(){return[].combine(this);},shuffle:function(){for(var c=this.length;c&&--c;){var b=this[c],d=Math.floor(Math.random()*(c+1));34this[c]=this[d];this[d]=b;}return this;},reduce:function(d,e){for(var c=0,b=this.length;c<b;c++){if(c in this){e=e===a?this[c]:d.call(null,e,this[c],c,this);35}}return e;},reduceRight:function(c,d){var b=this.length;while(b--){if(b in this){d=d===a?this[b]:c.call(null,d,this[b],b,this);}}return d;}});})();(function(){var b=function(c){return c!=null;36};var a=Object.prototype.hasOwnProperty;Object.extend({getFromPath:function(e,f){if(typeof f=="string"){f=f.split(".");}for(var d=0,c=f.length;d<c;d++){if(a.call(e,f[d])){e=e[f[d]];37}else{return null;}}return e;},cleanValues:function(c,e){e=e||b;for(var d in c){if(!e(c[d])){delete c[d];}}return c;},erase:function(c,d){if(a.call(c,d)){delete c[d];38}return c;},run:function(d){var c=Array.slice(arguments,1);for(var e in d){if(d[e].apply){d[e].apply(d,c);}}return d;}});})();(function(){var b=null,a={},d={};
Using Insufficiently Random Generators in Cryptography
Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.
Example
Let’s take a look at a function that randomly generates a URL to a page:
JavaScriptfunction generateReceiptURL(baseUrl) {return(baseUrl + Math.random() + '.html');}
This method can be used to process a user request to edit account settings. The user sends a password change request, the system sends a link to a generated page to the user’s email address, and the user accesses the password change form on it.
The link to the page is generated based on a random string of characters received as the output of the call to the Math.random()method [1]. This method generates predictable pseudorandom numbers, and if the malicious user finds out that this method is used, he can easily guess the value of the link.
7 The report on detected vulnerabilities FILES
The malicious user can then send a password reset request in the victim’s name, and drop the current password. This lets him steal the victim’s account without first gaining access to it.
Potential consequences•
If the random numbers are used for defense mechanisms, such as session ID generation or crypto keys, predictable values seriously compromise security. The malicious user can predict the generated value, and get the key value, and gain access to the protected resource.
•If the application uses a random value to generate some resource ID, and the value is easily predictable, the malicious user can access the resource, or replace it with his own copy with a backdoor in it.
•If the authorization and authentication mechanisms are based on using random numbers (such as secret key generation), the malicious user can guess the key value and access protected system modules.
Removal recommendations•
Pseudorandom generators are split into static and cryptographic. We recommend using cryptographic generators, since they generate a pseudorandom sequence that is difficult to predict.
•Currently, JavaScript realizes a cryptographic random number generator: the RandomSource [2] interface.
•We recommend looking into using random number generators that use physical models for the generation process, such as atmospheric noise.
JavaScript: Using Obsolete jQuery MethodsSeverity: lowLanguage: JavaScriptShort description: Using obsolete methods poorly affects code quality and security.Full description: https://localhost:443/scanner/article?articleName=/en/JavaScript/DeprecatedJQueryMethods.html
Found Vulnerabilities:File name: media/jui/js/ajax-chosen.jsCode:
75 $.each(items, function(i, element) {76 var group, text, value;77 nbItems++;78 if (element.group) {79 group = select.find("optgroup[label='" + element.text + "']");80 if (!group.size()) {81 group = $("<optgroup />");82 }83 group.attr('label', element.text).appendTo(select);84 return $.each(element.items, function(i, element) {85 var text, value;
8 The report on detected vulnerabilities FILES
File name: media/jui/js/ajax-chosen.min.jsCode:
6$(this).data('prevVal',val);if(this.timer){clearTimeout(this.timer);}7if(val.length<options.minTermLength){return false;}8field=$(this);if(!(options.data!=null)){options.data={};}9options.data[options.jsonTermKey]=val;if(options.dataCallback!=null){options.data=options.dataCallback(options.data);}10success=options.success;options.success=function(data){var items,selected_values;if(!(data!=null)){return;}11selected_values=[];select.find('option').each(function(){if(!$(this).is(":selected")){return $(this).remove();}else{return selected_values.push($(this).val()+"-"+$(this).text());}});select.find('optgroup:empty').each(function(){return $(this).remove();});items=callback(data);$.each(items,function(i,element){var group,text,value;if(element.group){group=select.find("optgroup[label='"+element.text+"']");if(!group.size()){group=$("<optgroup />");}12group.attr('label',element.text).appendTo(select);return $.each(element.items,function(i,element){var text,value;if(typeof element==="string"){value=i;text=element;}else{value=element.value;text=element.text;}13if($.inArray(value+"-"+text,selected_values)===-1){return $("<option />").attr('value',value).html(text).appendTo(group);}});}else{if(typeof element==="string"){value=i;text=element;}else{value=element.value;text=element.text;}14if($.inArray(value+"-"+text,selected_values)===-1){return $("<option />").attr('value',value).html(text).appendTo(select);}}});if(Object.keys(items).length){select.trigger("liszt:updated");}else{select.data().chosen.no_results_clear();select.data().chosen.no_results(field.attr('value'));}15if(success!=null){success(data);}16return field.attr('value',untrimmed_val);};return this.timer=setTimeout(function(){if(chosenXhr){chosenXhr.abort();}
Using Obsolete jQuery Methods
Using obsolete methods poorly affects code quality and security.
Example
With time, certain classes and function in actively supported libraries are rendered obsolete. In order to ensure backwards compliance, developers do not remove these methods right away, rather labelling them as not recommended at first. The library generally has new functions that replace them, more efficient, stable or secure ones, and easier to use. The plan is that older developers will slowly switch to newer methods over time.
For example, starting with jQuery library 1.7, instead of three functions for controlling event processing (the live(), bind() and delegate() functions), a single function on() was introduced. In order to allow for backwards compatibility, the functions remained in the library, but their code now looks like so [1]:
JavaScriptbind: function( types, data, fn ) { return this.on( types, null, data, fn );}, live: function( types, data, fn ) { jQuery( this.context ).on( types, this.selector, data, fn ); return this;}, delegate: function( selector, types, data, fn ) { return this.on( types, selector, data, fn );},
9 The report on detected vulnerabilities FILES
This means that starting with 1.7.1, the live(), bind() and delegate() functions became wrappers for the on() function, making them obsolete.Potential consequences
If the older functions were phased out because of problems with their implementation, efficiency or compatibility, any code that still uses them, inherit all of those problems.
If the functions were phased out because of library development, the code that uses them will be outdated, which makes it worse.
In some cases, after a certain period, the developers remove older functions from the library, This will render any code that still uses them unworkable.
Removal recommendations
We recommend following the development of libraries and update your code accordingly.
PHP: Incorrect User Input Filtration when Using the unserialize FunctionSeverity: mediumLanguage: PHPShort description: The ‘serialize’ function is used to display PHP variables as strings. The ‘unserialize’ function does the reverse transformation. If user data is used when calling the ‘unserialize’ function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.Full description: https://localhost:443/scanner/article?articleName=/en/Php/InjectionUnserialize.html
Found Vulnerabilities:File name: libraries/simplepie/idn/idna_convert.class.phpCode:
93 // The constructor94 function idna_convert($options = false)95 {96 $this->slast = $this->_sbase + $this->_lcount * $this->_vcount * $this->_tcount;97 if (function_exists('file_get_contents')) {98 $this->NP = unserialize(file_get_contents(dirname(__FILE__).'/npdata.ser'));99 } else {100 $this->NP = unserialize(join('', file(dirname(__FILE__).'/npdata.ser')));101 }102 // If parameters are given, pass these to the respective method103 if (is_array($options)) {
File name: libraries/simplepie/simplepie.phpCode:
86858686 function load()8687 {8688 if (file_exists($this->name) && is_readable($this->name))8689 {8690 return unserialize(file_get_contents($this->name));8691 }8692 return false;8693 }
10 The report on detected vulnerabilities FILES
86948695 function mtime()
Incorrect User Input Filtration when Using the unserialize Function
The ‘serialize’ function [1] is used to display PHP variables as strings. The ‘unserialize’ function [2] does the reverse transformation. If user data is used when calling the ‘unserialize’ function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.
Example
In this example, we take a look at an application that
•Describes the CacheManager class, responsible for caching resources by using temporary files
•User data is stored as serialized objects in HTTP cookies
CacheManager is defined as:
Phpclass CacheManager { public $cache_file; public function CacheManager($file_path){ $this->cache_file = $file_path; } //some code function __destruct(){ if (file_exists($this->cache_file)) { unlink($this->cache_file); } } //some code}
Receiving user settings from HTTP cookies is done like so:if (isset($_COOKIE['settings'])){ $settings = unserialize($_COOKIE['settings']); //processing settings}
If the malicious user passes the following as the value of his ‘settings’ parameter:
JsonO:12:"CacheManager":1:{s:10:"cache_file";s:18:"/var/www/index.php";}
Then:
•The application will create a CacheManager class object, the cache_file field of which will be initialized as /var/www/index.php;
•After running the script, the object will have the __destruct [3] method called, which will run the ‘unlink’ function [4] for the /var/www/index.php file.
Potential consequences
The consequences of this vulnerability depend on the functionality of the objects the malicious user can create, and how they are used. The most common uses are deleting random application resources, and running remote code.
11 The report on detected vulnerabilities FILES
Removal recommendations•
When performing any input filtration on the client side, make sure that similar filtration is done on the server side as well. This is done because the user can modify the data after the client-side filtering is done.
•Assume that all data coming from the client is a potential threat, including hidden form fields and cookies. We recommend using the “accept known good” method for input filtration, such as using a whitelist that describes acceptable input format. All input that does not follow the format, described in the whitelist should be rejected. You can, for example, limit file extensions, allowed symbols in the input string or file name length in symbols.
•We recommend against accepting serialized data from the user. In order to create complex data structures on the client side, we recommend using other formats, such as JSON [5].
PHP: Incorrect Permissions for External Entities During XML Document ProcessingSeverity: mediumLanguage: PHPShort description: If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.Full description: https://localhost:443/scanner/article?articleName=/en/Php/XmlXxe.html
Found Vulnerabilities:File name: administrator/components/com_contenthistory/helpers/contenthistory.phpCode:
94 $expandedObjectArray = static::createObjectArray($object);95 static::loadLanguageFiles($typesTable->type_alias);9697 if ($formFile = static::getFormFile($typesTable))98 {99 if ($xml = simplexml_load_file($formFile))100 {101 // Now we need to get all of the labels from the form102 $fieldArray = $xml->xpath('//field');103 $fieldArray = array_merge($fieldArray, $xml->xpath('//fields'));104
File name: administrator/components/com_menus/models/item.phpCode:
1014 {1015 // We don't have a component. Load the form XML to get the help path1016 $xmlFile = JPath::find(JPATH_ROOT . '/administrator/components/com_menus/models/forms', 'item_' . $type . '.xml');10171018 // Attempt to load the xml file.1019 if ($xmlFile && !$xml = simplexml_load_file($xmlFile))1020 {1021 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));1022 }10231024 // Get the help data from the XML file if present.
12 The report on detected vulnerabilities FILES
File name: administrator/components/com_menus/models/item.phpCode:
1000 {1001 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));1002 }10031004 // Attempt to load the xml file.1005 if (!$xml = simplexml_load_file($formFile))1006 {1007 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));1008 }10091010 // Get the help data from the XML file if present.
File name: administrator/components/com_menus/models/menutypes.phpCode:
274 $file = $path . '/' . $view . '/metadata.xml';275276 if (is_file($file))277 {278 // Attempt to load the xml file.279 if ($xml = simplexml_load_file($file))280 {281 // Look for the first view node off of the root node.282 if ($menu = $xml->xpath('view[1]'))283 {284 $menu = $menu[0];
File name: administrator/components/com_menus/models/menutypes.phpCode:
453454 // Load layout metadata if it exists.455 if (is_file($file))456 {457 // Attempt to load the xml file.458 if ($xml = simplexml_load_file($file))459 {460 // Look for the first view node off of the root node.461 if ($menu = $xml->xpath('layout[1]'))462 {463 $menu = $menu[0];
File name: administrator/components/com_menus/models/menutypes.phpCode:
153 protected function getTypeOptionsFromXml($file, $component)154 {155 $options = array();156157 // Attempt to load the xml file.158 if (!$xml = simplexml_load_file($file))159 {160 return false;161 }162163 // Look for the first menu node off of the root node.
13 The report on detected vulnerabilities FILES
File name: administrator/components/com_menus/views/items/view.html.phpCode:
156 {157 $file = JPATH_SITE . '/components/' . $item->componentname . '/view/' . $vars['view'] . '/tmpl/' . $vars['layout'] . '.xml';158 }159 }160161 if (is_file($file) && $xml = simplexml_load_file($file))162 {163 // Look for the first view node off of the root node.164 if ($layout = $xml->xpath('layout[1]'))165 {166 if (!empty($layout[0]['title']))
File name: administrator/components/com_menus/views/items/view.html.phpCode:
112 if (!is_file($file))113 {114 $file = JPATH_SITE . '/components/' . $item->componentname . '/view/' . $vars['view'] . '/metadata.xml';115 }116117 if (is_file($file) && $xml = simplexml_load_file($file))118 {119 // Look for the first view node off of the root node.120 if ($view = $xml->xpath('view[1]'))121 {122 // Add view title if present.
File name: administrator/components/com_modules/models/module.phpCode:
834 {835 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));836 }837838 // Attempt to load the xml file.839 if (!$xml = simplexml_load_file($formFile))840 {841 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));842 }843844 // Get the help data from the XML file if present.
File name: administrator/components/com_modules/models/module.phpCode:
744 $client = JApplicationHelper::getClientInfo($table->client_id);745 $path = JPath::clean($client->path . '/modules/' . $table->module . '/' . $table->module . '.xml');746747 if (file_exists($path))748 {749 $this->_cache[$pk]->xml = simplexml_load_file($path);750 }751 else752 {753 $this->_cache[$pk]->xml = null;754 }
14 The report on detected vulnerabilities FILES
File name: administrator/components/com_modules/models/positions.phpCode:
142 {143 $path = JPath::clean($client->path . '/templates/' . $template->element . '/templateDetails.xml');144145 if (file_exists($path))146 {147 $xml = simplexml_load_file($path);148149 if (isset($xml->positions[0]))150 {151 $lang->load('tpl_' . $template->element . '.sys', $client->path, null, false, true)152 || $lang->load('tpl_' . $template->element . '.sys', $client->path . '/templates/' . $template->element, null, false, true);
File name: administrator/components/com_modules/models/select.phpCode:
121 {122 $path = JPath::clean($client->path . '/modules/' . $item->module . '/' . $item->module . '.xml');123124 if (file_exists($path))125 {126 $item->xml = simplexml_load_file($path);127 }128 else129 {130 $item->xml = null;131 }
File name: administrator/components/com_plugins/models/plugin.phpCode:
170 // Get the plugin XML.171 $path = JPath::clean(JPATH_PLUGINS . '/' . $table->folder . '/' . $table->element . '/' . $table->element . '.xml');172173 if (file_exists($path))174 {175 $this->_cache[$pk]->xml = simplexml_load_file($path);176 }177 else178 {179 $this->_cache[$pk]->xml = null;180 }
File name: administrator/components/com_plugins/models/plugin.phpCode:
279 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));280 }281 }282283 // Attempt to load the xml file.284 if (!$xml = simplexml_load_file($formFile))285 {286 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));287 }288289 // Get the help data from the XML file if present.
15 The report on detected vulnerabilities FILES
File name: administrator/components/com_templates/helpers/templates.phpCode:
151 $filePath = JPath::clean($templateBaseDir . '/templates/' . $templateDir . '/templateDetails.xml');152153 if (is_file($filePath))154 {155 // Read the file to see if it's a valid component XML file156 $xml = simplexml_load_file($filePath);157158 if (!$xml)159 {160 return false;161 }
File name: administrator/components/com_templates/models/style.phpCode:
356 $client = JApplicationHelper::getClientInfo($table->client_id);357 $path = JPath::clean($client->path . '/templates/' . $table->template . '/templateDetails.xml');358359 if (file_exists($path))360 {361 $this->_cache[$pk]->xml = simplexml_load_file($path);362 }363 else364 {365 $this->_cache[$pk]->xml = null;366 }
File name: administrator/components/com_templates/models/style.phpCode:
431 {432 $form->setFieldAttribute('home', 'readonly', 'true');433 }434435 // Attempt to load the xml file.436 if (!$xml = simplexml_load_file($formFile))437 {438 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));439 }440441 // Get the help data from the XML file if present.
File name: administrator/components/com_users/helpers/debug.phpCode:
90 {91 $filename = JPATH_ADMINISTRATOR . '/components/com_config/model/form/application.xml';9293 if (is_file($filename))94 {95 $xml = simplexml_load_file($filename);9697 foreach ($xml->children()->fieldset as $fieldset)98 {99 if ('permissions' == (string) $fieldset['name'])
16 The report on detected vulnerabilities FILES
100 {
File name: components/com_config/model/modules.phpCode:
101 {102 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));103 }104105 // Attempt to load the xml file.106 if (!$xml = simplexml_load_file($formFile))107 {108 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));109 }110 }111
File name: components/com_config/model/modules.phpCode:
133 $path = JPath::clean(JPATH_BASE . '/templates/' . $templateName . '/templateDetails.xml');134 $currentPositions = array();135136 if (file_exists($path))137 {138 $xml = simplexml_load_file($path);139140 if (isset($xml->positions[0]))141 {142 foreach ($xml->positions[0] as $position)143 {
File name: components/com_config/model/templates.phpCode:
116 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));117 }118 }119120 // Attempt to load the xml file.121 if (!$xml = simplexml_load_file($formFile))122 {123 throw new Exception(JText::_('JERROR_LOADFILE_FAILED'));124 }125126 // Trigger the default form events.
File name: components/com_users/helpers/html/users.phpCode:
76 {77 $pathToXml = JPATH_ADMINISTRATOR . '/help/helpsites.xml';7879 $text = $value;8081 if (!empty($pathToXml) && $xml = simplexml_load_file($pathToXml))82 {83 foreach ($xml->sites->site as $site)84 {85 if ((string) $site->attributes()->url == $value)86 {
17 The report on detected vulnerabilities FILES
File name: installation/application/web.phpCode:
257 *258 * @since 3.1259 */260 public function getLocalise()261 {262 $xml = simplexml_load_file(JPATH_INSTALLATION . '/localise.xml');263264 if (!$xml)265 {266 return false;267 }
File name: libraries/cms/application/helper.phpCode:
229 public static function parseXMLLangMetaFile($path)230 {231 JLog::add('JApplicationHelper::parseXMLLangMetaFile is deprecated. Use JInstaller::parseXMLInstallFile instead.', JLog::WARNING, 'deprecated');232233 // Read the file to see if it's a valid component XML file234 $xml = simplexml_load_file($path);235236 if (!$xml)237 {238 return false;239 }
File name: libraries/cms/help/help.phpCode:
176 $list = array();177 $xml = false;178179 if (!empty($pathToXml))180 {181 $xml = simplexml_load_file($pathToXml);182 }183184 if (!$xml)185 {186 $option['text'] = 'English (GB) help.joomla.org';
File name: libraries/cms/installer/adapter/file.phpCode:
313 if (file_exists($manifestFile))314 {315 // Set the files root path316 $this->parent->setPath('extension_root', JPATH_MANIFESTS . '/files/' . $row->element);317318 $xml = simplexml_load_file($manifestFile);319320 // If we cannot load the XML file return null321 if (!$xml)322 {323
18 The report on detected vulnerabilities FILES
JLog::add(JText::_('JLIB_INSTALLER_ERROR_FILE_UNINSTALL_LOAD_MANIFEST'), JLog::WARNING, 'jerror');
File name: libraries/cms/installer/adapter/library.phpCode:
386 $manifest = new JInstallerManifestLibrary($manifestFile);387388 // Set the library root path389 $this->parent->setPath('extension_root', JPATH_PLATFORM . '/' . $manifest->libraryname);390391 $xml = simplexml_load_file($manifestFile);392393 // If we cannot load the XML file return null394 if (!$xml)395 {396 JLog::add(JText::_('JLIB_INSTALLER_ERROR_LIB_UNINSTALL_LOAD_MANIFEST'), JLog::WARNING, 'jerror');
File name: libraries/cms/installer/adapter/package.phpCode:
496 JLog::add(JText::_('JLIB_INSTALLER_ERROR_PACK_UNINSTALL_MISSINGMANIFEST'), JLog::WARNING, 'jerror');497498 return false;499 }500501 $xml = simplexml_load_file($manifestFile);502503 // If we cannot load the XML file return false504 if (!$xml)505 {506 JLog::add(JText::_('JLIB_INSTALLER_ERROR_PACK_UNINSTALL_LOAD_MANIFEST'), JLog::WARNING, 'jerror');
File name: libraries/cms/installer/helper.phpCode:
225 return false;226 }227228 foreach ($files as $file)229 {230 $xml = simplexml_load_file($file);231232 if (!$xml)233 {234 continue;235 }
File name: libraries/cms/installer/installer.phpCode:
2190 * @since 12.12191 */2192 public static function parseXMLInstallFile($path)2193 {2194 // Read the file to see if it's a valid component XML file2195 $xml = simplexml_load_file($path);21962197 if (!$xml)
19 The report on detected vulnerabilities FILES
2198 {2199 return false;2200 }
File name: libraries/cms/installer/installer.phpCode:
1978 *1979 * @since 3.11980 */1981 public function isManifest($file)1982 {1983 $xml = simplexml_load_file($file);19841985 // If we cannot load the XML file return null1986 if (!$xml)1987 {1988 return null;
File name: libraries/cms/installer/manifest.phpCode:
108 */109 public function loadManifestFromXml($xmlfile)110 {111 $this->manifest_file = basename($xmlfile, '.xml');112113 $xml = simplexml_load_file($xmlfile);114115 if (!$xml)116 {117 $this->_errors[] = JText::sprintf('JLIB_INSTALLER_ERROR_LOAD_XML', $xmlfile);118
File name: libraries/fof/config/provider.phpCode:
136 }137138 $data = file_get_contents($filename);139140 // Load the XML data in a SimpleXMLElement object141 $xml = simplexml_load_string($data);142143 if (!($xml instanceof SimpleXMLElement))144 {145 return $ret;146 }
File name: libraries/fof/toolbar/toolbar.phpCode:
706 }707708 if (!empty($meta))709 {710 $using_meta = true;711 $xml = simplexml_load_file($searchPath . '/' . $view . '/' . $meta[0]);712 $order = (int) $xml->foflib->ordering;713 }714 else
20 The report on detected vulnerabilities FILES
715 {716 // Next place. It's ok since the index are 0-based and count is 1-based
File name: libraries/joomla/access/access.phpCode:
517 return false;518 }519 else520 {521 // Else return the actions from the xml.522 $xml = simplexml_load_file($file);523524 return self::getActionsFromData($xml, $xpath);525 }526 }527
File name: libraries/joomla/factory.phpCode:
406 libxml_use_internal_errors(true);407408 if ($isFile)409 {410 // Try to load the XML file411 $xml = simplexml_load_file($data, $class);412 }413 else414 {415 // Try to load the XML string416 $xml = simplexml_load_string($data, $class);
File name: libraries/joomla/factory.phpCode:
411 $xml = simplexml_load_file($data, $class);412 }413 else414 {415 // Try to load the XML string416 $xml = simplexml_load_string($data, $class);417 }418419 if ($xml === false)420 {421 JLog::add(JText::_('JLIB_UTIL_ERROR_XML_LOAD'), JLog::WARNING, 'jerror');
File name: libraries/joomla/form/form.phpCode:
845 return false;846 }847 }848849 // Attempt to load the XML file.850 $xml = simplexml_load_file($file);851852 return $this->load($xml, $reset, $xpath);853 }854
21 The report on detected vulnerabilities FILES
855 /**
File name: libraries/joomla/language/language.phpCode:
1368 {1369 throw new RuntimeException('File not found or not readable');1370 }13711372 // Try to load the file1373 $xml = simplexml_load_file($path);13741375 if (!$xml)1376 {1377 return null;1378 }
File name: libraries/joomla/mediawiki/object.phpCode:
110 *111 * @throws DomainException112 */113 public function validateResponse($response)114 {115 $xml = simplexml_load_string($response->body);116117 if (isset($xml->warnings))118 {119 throw new DomainException($xml->warnings->info);120 }
File name: libraries/joomla/openstreetmap/changesets.phpCode:
249 $header['Content-Type'] = 'text/xml';250251 // Send the request.252 $response = $this->oauth->oauthRequest($path, 'POST', $parameters, $xml, $header);253254 $xml_string = simplexml_load_string($response->body);255256 return $xml_string->changeset;257 }258259 /**
File name: libraries/joomla/openstreetmap/changesets.phpCode:
143 $header['Content-Type'] = 'text/xml';144145 // Send the request.146 $response = $this->oauth->oauthRequest($path, 'PUT', $parameters, $xml, $header);147148 $xml_string = simplexml_load_string($response->body);149150 return $xml_string->changeset;151 }152153 /**
22 The report on detected vulnerabilities FILES
File name: libraries/joomla/openstreetmap/changesets.phpCode:
307 $header['Content-Type'] = 'text/xml';308309 // Send the request.310 $response = $this->oauth->oauthRequest($path, 'POST', $parameters, $xml, $header);311312 $xml_string = simplexml_load_string($response->body);313314 return $xml_string->diffResult;315 }316}
File name: libraries/joomla/openstreetmap/elements.phpCode:
540 $path = $this->getOption('api.url') . $base;541542 // Send the request.543 $response = $this->oauth->oauthRequest($path, 'PUT', $parameters);544545 $xml_string = simplexml_load_string($response->body);546547 return $xml_string;548 }549}
File name: libraries/joomla/openstreetmap/gps.phpCode:
38 $path = $this->getOption('api.url') . $base;3940 // Send the request.41 $response = $this->oauth->oauthRequest($path, 'GET', array());4243 $xml_string = simplexml_load_string($response->body);4445 return $xml_string;46 }4748 /**
File name: libraries/joomla/openstreetmap/info.phpCode:
83 $path = $this->getOption('api.url') . $base;8485 // Send the request.86 $response = $this->oauth->oauthRequest($path, 'GET', array());8788 $xml_string = simplexml_load_string($response->body);8990 return $xml_string;91 }92}
File name: libraries/joomla/openstreetmap/info.phpCode:
60 $path = $this->getOption('api.url') . $base;
23 The report on detected vulnerabilities FILES
6162 // Send the request.63 $response = $this->oauth->oauthRequest($path, 'GET', array());6465 $xml_string = simplexml_load_string($response->body);6667 return $xml_string;68 }6970 /**
File name: libraries/joomla/openstreetmap/info.phpCode:
32 $path = $this->getOption('api.url') . $base;3334 // Send the request.35 $response = $this->oauth->oauthRequest($path, 'GET', array());3637 $xml_string = simplexml_load_string($response->body);3839 return $xml_string;40 }4142 /**
File name: libraries/joomla/openstreetmap/object.phpCode:
122 $error = htmlspecialchars($response->body);123124 throw new DomainException($error, $response->code);125 }126127 $xml_string = simplexml_load_string($response->body);128129 return $xml_string;130 }131}
File name: libraries/legacy/form/field/componentlayout.phpCode:
130 $groups['_']['items'] = array();131132 foreach ($component_layouts as $i => $file)133 {134 // Attempt to load the XML file.135 if (!$xml = simplexml_load_file($file))136 {137 unset($component_layouts[$i]);138139 continue;140 }
File name: libraries/vendor/joomla/registry/src/Format/Xml.phpCode:
58 public function stringToObject($data, array $options = array())59 {60 $obj = new stdClass;61
24 The report on detected vulnerabilities FILES
62 // Parse the XML string.63 $xml = simplexml_load_string($data);6465 foreach ($xml->children() as $node)66 {67 $obj->{$node['name']} = $this->getValueFromNode($node);68 }
File name: libraries/vendor/joomla/registry/src/Format/Xml.phpCode:
35 {36 $rootName = (isset($options['name'])) ? $options['name'] : 'registry';37 $nodeName = (isset($options['nodeName'])) ? $options['nodeName'] : 'node';3839 // Create the root node.40 $root = simplexml_load_string('<' . $rootName . ' />');4142 // Iterate over the object members.43 $this->getXmlChildren($root, $object, $nodeName);4445 return $root->asXML();
Incorrect Permissions for External Entities During XML Document Processing
If the application allows the use of external entities [1] in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.
Example
In this example, we take a look at a code fragment that realizes the XML-RPC protocol:
Php$request = simplexml_load_string($HTTP_RAW_POST_DATA); $available_methods = array('getBalance', 'getInfo', 'changeInfo'); if (in_array($request->methodName, $available_methods)){ //process operations } else { $err_msg = "Method is not supported: $request->methodName"; report_error($err_msg); }
If the malicious user passes the following XML document in the request:
Xml<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/passwd'> ]> <methodCall> <methodName>&e;</methodName> </methodCall>
Then after resolving external entities in the methodName field, the error message will contain the contents of the /etc/passwd file of the application server.
Potential consequences
This vulnerability can lead to the following:
•
25 The report on detected vulnerabilities FILES
Reading files, local to the application server. #Performing network interactions between the application server and other objects, including local network objects (see SSRF[2]).
•Denial of Service (DoS) for the application server.
Removal recommendations
We recommend turning off dealing with external XML entities when working with user XML documents. To disable external entities, use the libxml_disable_entity_loader function [3,4]. We can then rewrite the example as:
Phplibxml_disable_entity_loader(true); $request = simplexml_load_string($HTTP_RAW_POST_DATA); $available_methods = array('getBalance', 'getInfo', 'changeInfo'); if (in_array($request->methodName, $available_methods)){ //process operations } else { $err_msg = "Method is not supported: $request->methodName"; report_error($err_msg); }
PHP: Using Global VariablesSeverity: lowLanguage: PHPShort description: Using the global variable array $GLOBALS is considered a bad practice, and can lead to poor quality of the application. Full description: https://localhost:443/scanner/article?articleName=/en/Php/RestrictionGlobals.html
Found Vulnerabilities:File name: components/com_finder/views/search/view.html.phpCode:
39 $params = $app->getParams();4041 // Get view data.42 $state = $this->get('State');43 $query = $this->get('Query');44 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderQuery') : null;45 $results = $this->get('Results');46 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderResults') : null;47 $total = $this->get('Total');48 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderTotal') : null;49 $pagination = $this->get('Pagination');
File name: components/com_finder/views/search/view.html.phpCode:
45 $results = $this->get('Results');46 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderResults') : null;47 $total = $this->get('Total');48 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderTotal') : null;49 $pagination = $this->get('Pagination');50 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderPagination') : null;5152 // Check for errors.
26 The report on detected vulnerabilities FILES
53 if (count($errors = $this->get('Errors')))54 {55 JError::raiseError(500, implode("\n", $errors));
File name: components/com_finder/views/search/view.html.phpCode:
107108 JDEBUG ? $GLOBALS['_PROFILER']->mark('beforeFinderLayout') : null;109110 parent::display($tpl);111112 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderLayout') : null;113 }114115 /**116 * Method to get hidden input fields for a get form so that control variables117 * are not lost upon form submission
File name: components/com_finder/views/search/view.html.phpCode:
41 // Get view data.42 $state = $this->get('State');43 $query = $this->get('Query');44 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderQuery') : null;45 $results = $this->get('Results');46 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderResults') : null;47 $total = $this->get('Total');48 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderTotal') : null;49 $pagination = $this->get('Pagination');50 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderPagination') : null;51
File name: components/com_finder/views/search/view.html.phpCode:
43 $query = $this->get('Query');44 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderQuery') : null;45 $results = $this->get('Results');46 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderResults') : null;47 $total = $this->get('Total');48 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderTotal') : null;49 $pagination = $this->get('Pagination');50 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderPagination') : null;5152 // Check for errors.53 if (count($errors = $this->get('Errors')))
File name: components/com_finder/views/search/view.html.phpCode:
103 $this->setLayout($active->query['layout']);104 }105106 $this->prepareDocument($query);107108 JDEBUG ? $GLOBALS['_PROFILER']->mark('beforeFinderLayout') : null;109110 parent::display($tpl);111112 JDEBUG ? $GLOBALS['_PROFILER']->mark('afterFinderLayout') : null;
27 The report on detected vulnerabilities FILES
113 }
File name: libraries/joomla/application/daemon.phpCode:
758 @ unlink($this->config->get('application_pid_file'));759760 // If we are supposed to restart the daemon we need to execute the same command.761 if ($restart)762 {763 $this->close(exec(implode(' ', $GLOBALS['argv']) . ' > /dev/null &'));764 }765 // If we are not supposed to restart the daemon let's just kill -9.766 else767 {768 passthru('kill -9 ' . $pid);
File name: libraries/joomla/filesystem/folder.phpCode:
674 {675 $dirs = array();676677 if ($level == 0)678 {679 $GLOBALS['_JFolder_folder_tree_index'] = 0;680 }681682 if ($level < $maxLevel)683 {684 $folders = self::folders($path, $filter);
File name: libraries/joomla/filesystem/folder.phpCode:
685 $pathObject = new JFilesystemWrapperPath;686687 // First path, index foldernames688 foreach ($folders as $name)689 {690 $id = ++$GLOBALS['_JFolder_folder_tree_index'];691 $fullName = $pathObject->clean($path . '/' . $name);692 $dirs[] = array('id' => $id, 'parent' => $parent, 'name' => $name, 'fullname' => $fullName,693 'relname' => str_replace(JPATH_ROOT, '', $fullName));694 $dirs2 = self::listFolderTree($fullName, $filter, $maxLevel, $level + 1, $id);695 $dirs = array_merge($dirs, $dirs2);
File name: libraries/joomla/input/input.phpCode:
129130 $superGlobal = '_' . strtoupper($name);131132 if (isset($GLOBALS[$superGlobal]))133 {134 $this->inputs[$name] = new JInput($GLOBALS[$superGlobal], $this->options);135136 return $this->inputs[$name];137 }
28 The report on detected vulnerabilities FILES
138139 // TODO throw an exception
File name: libraries/joomla/input/input.phpCode:
127 return $this->inputs[$name];128 }129130 $superGlobal = '_' . strtoupper($name);131132 if (isset($GLOBALS[$superGlobal]))133 {134 $this->inputs[$name] = new JInput($GLOBALS[$superGlobal], $this->options);135136 return $this->inputs[$name];137 }
File name: libraries/legacy/request/request.phpCode:
163 $var = $default;164 }165 }166 else167 {168 $var = $GLOBALS['_JREQUEST'][$name][$sig];169 }170171 return $var;172 }173
File name: libraries/legacy/request/request.phpCode:
136 $input = &$_REQUEST;137 $hash = 'REQUEST';138 break;139 }140141 if (isset($GLOBALS['_JREQUEST'][$name]['SET.' . $hash]) && ($GLOBALS['_JREQUEST'][$name]['SET.' . $hash] === true))142 {143 // Get the variable from the input hash144 $var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default;145 $var = self::_cleanVar($var, $mask, $type);146 }
File name: libraries/legacy/request/request.phpCode:
386 break;387 }388389 // Mark this variable as 'SET'390 $GLOBALS['_JREQUEST'][$name]['SET.' . $hash] = true;391 $GLOBALS['_JREQUEST'][$name]['SET.REQUEST'] = true;392393 return $previous;394 }
29 The report on detected vulnerabilities FILES
395396 /**
File name: libraries/legacy/request/request.phpCode:
347 {348 return $_REQUEST[$name];349 }350351 // Clean global request var352 $GLOBALS['_JREQUEST'][$name] = array();353354 // Get the request hash value355 $hash = strtoupper($hash);356357 if ($hash === 'METHOD')
File name: libraries/legacy/request/request.phpCode:
142 {143 // Get the variable from the input hash144 $var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default;145 $var = self::_cleanVar($var, $mask, $type);146 }147 elseif (!isset($GLOBALS['_JREQUEST'][$name][$sig]))148 {149 if (isset($input[$name]) && $input[$name] !== null)150 {151 // Get the variable from the input hash and clean it152 $var = self::_cleanVar($input[$name], $mask, $type);
File name: libraries/legacy/request/request.phpCode:
10defined('JPATH_PLATFORM') or die;1112/**13 * Create the request global object14 */15$GLOBALS['_JREQUEST'] = array();1617/**18 * Set the available masks for cleaning variables19 */20const JREQUEST_NOTRIM = 1;
File name: libraries/legacy/request/request.phpCode:
385 $_SERVER[$name] = $value;386 break;387 }388389 // Mark this variable as 'SET'390 $GLOBALS['_JREQUEST'][$name]['SET.' . $hash] = true;391 $GLOBALS['_JREQUEST'][$name]['SET.REQUEST'] = true;392393 return $previous;394 }
30 The report on detected vulnerabilities FILES
395
File name: libraries/legacy/request/request.phpCode:
149 if (isset($input[$name]) && $input[$name] !== null)150 {151 // Get the variable from the input hash and clean it152 $var = self::_cleanVar($input[$name], $mask, $type);153154 $GLOBALS['_JREQUEST'][$name][$sig] = $var;155 }156 elseif ($default !== null)157 {158 // Clean the default value159 $var = self::_cleanVar($default, $mask, $type);
File name: libraries/legacy/request/request.phpCode:
136 $input = &$_REQUEST;137 $hash = 'REQUEST';138 break;139 }140141 if (isset($GLOBALS['_JREQUEST'][$name]['SET.' . $hash]) && ($GLOBALS['_JREQUEST'][$name]['SET.' . $hash] === true))142 {143 // Get the variable from the input hash144 $var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default;145 $var = self::_cleanVar($var, $mask, $type);146 }
File name: libraries/vendor/composer/autoload_real.phpCode:
49 }50}5152function composerRequire205c915b9c7d3e718e7c95793ee67ffe($fileIdentifier, $file)53{54 if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {55 require $file;5657 $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;58 }59}
File name: libraries/vendor/composer/autoload_real.phpCode:
52function composerRequire205c915b9c7d3e718e7c95793ee67ffe($fileIdentifier, $file)53{54 if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {55 require $file;5657 $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;58 }59}
31 The report on detected vulnerabilities FILES
File name: libraries/vendor/joomla/application/src/AbstractDaemonApplication.phpCode:
765 @ unlink($this->get('application_pid_file'));766767 // If we are supposed to restart the daemon we need to execute the same command.768 if ($restart)769 {770 $this->close(exec(implode(' ', $GLOBALS['argv']) . ' > /dev/null &'));771 }772 else773 // If we are not supposed to restart the daemon let's just kill -9.774 {775 passthru('kill -9 ' . $pid);
File name: libraries/vendor/joomla/input/src/Input.phpCode:
137 return $this->inputs[$name];138 }139140 $superGlobal = '_' . strtoupper($name);141142 if (isset($GLOBALS[$superGlobal]))143 {144 $this->inputs[$name] = new Input($GLOBALS[$superGlobal], $this->options);145146 return $this->inputs[$name];147 }
File name: libraries/vendor/joomla/input/src/Input.phpCode:
139140 $superGlobal = '_' . strtoupper($name);141142 if (isset($GLOBALS[$superGlobal]))143 {144 $this->inputs[$name] = new Input($GLOBALS[$superGlobal], $this->options);145146 return $this->inputs[$name];147 }148149 // TODO throw an exception
File name: libraries/vendor/joomla/input/src/Json.phpCode:
5152 // This is a workaround for where php://input has already been read.53 // See note under php://input on http://php.net/manual/en/wrappers.php.php54 if (empty($this->raw) && isset($GLOBALS['HTTP_RAW_POST_DATA']))55 {56 $this->raw = $GLOBALS['HTTP_RAW_POST_DATA'];57 }5859 $this->data = json_decode($this->raw, true);6061 if (!is_array($this->data))
32 The report on detected vulnerabilities FILES
File name: libraries/vendor/joomla/input/src/Json.phpCode:
49 {50 $this->raw = file_get_contents('php://input');5152 // This is a workaround for where php://input has already been read.53 // See note under php://input on http://php.net/manual/en/wrappers.php.php54 if (empty($this->raw) && isset($GLOBALS['HTTP_RAW_POST_DATA']))55 {56 $this->raw = $GLOBALS['HTTP_RAW_POST_DATA'];57 }5859 $this->data = json_decode($this->raw, true);
Using Global Variables
Using the global variable array $GLOBALS is considered a bad practice, and can lead to poor quality of the application.
Example
Let’s take a look at an example of using global variables. In this case, the global variables contain an object, necessary for working with the database.
Php$output['header']['log_out'] = "Log Out"; function showPage(){ global $db, $output; $db = ( isset( $db ) ) ? $db : new Database(); $output['header']['title'] = $db->getConfig( 'siteTitle' ); require( 'myHTMLPage.html' ); exit(); }
This approach has several downsides:
•The encapsulation principle no longer functions. The value of the global variable can be initialized and changed in a different function or file, with no apparent connection between the two.
•Passing data through the function border bypassing its signature breaks the principle of self-documenting code. This makes the application more difficult to read and support.
•This type of code cannot be tested modally, since it cannot be launched without initializing all external dependencies.
•This breaks the namespace functionality, since the superglobal variable array keys do not support it.
Potential consequences
This programming practice can be a symptom of poor code quality, and low qualifications of the developer. Using the $GLOBALS array increases the interconnectivity of application components, lowers the readability, and makes debugging, testing and supporting the code
33 The report on detected vulnerabilities FILES
more difficult.
Removal recommendations•
To store global variables and constants of the application (such as settings), we recommend using config files and Singleton objects [1].
•To pass data inside a function, we recommend using function parameters. This self-documents the code better, since the function’s signature would show what data the function uses.
•The third approach to leaving global data is using object-oriented programming. In it, all data that an object uses are stored inside the object, or are passed to it through its interface [2].
PHP: Using Insufficiently Random Generators in CryptographySeverity: lowLanguage: PHPShort description: Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.Full description: https://localhost:443/scanner/article?articleName=/en/Php/CryptoInsufficientRandomValues.html
Found Vulnerabilities:File name: installation/model/database.phpCode:
37 $randUserId = $session->get('randUserId');3839 if (empty($randUserId))40 {41 // Create the ID for the root user only once and store in session.42 $randUserId = mt_rand(1, 1000);43 $session->set('randUserId', $randUserId);44 }4546 return $randUserId;47 }
File name: libraries/cms/html/email.phpCode:
50 // Split email by @ symbol51 $mail = explode('@', $mail);52 $mail_parts = explode('.', $mail[1]);5354 // Random number55 $rand = rand(1, 100000);5657 $replacement = '<span id="cloak' . $rand . '">' . JText::_('JLIB_HTML_CLOAKING') . '</span>' . "<script type='text/javascript'>";58 $replacement .= "\n //<!--";59 $replacement .= "\n document.getElementById('cloak$rand').innerHTML = '';";60 $replacement .= "\n var prefix = 'ma' + 'il' + 'to';";
34 The report on detected vulnerabilities FILES
File name: libraries/fof/encrypt/totp.phpCode:
169 {170 $secret = "";171172 for ($i = 1; $i <= $this->_secretLength; $i++)173 {174 $c = rand(0, 255);175 $secret .= pack("c", $c);176 }177 $base32 = new FOFEncryptBase32;178179 return $this->_base32->encode($secret);
File name: libraries/joomla/user/helper.phpCode:
608 {609 $salt = '';610611 for ($i = 0; $i < 8; $i++)612 {613 $salt .= $APRMD5{rand(0, 63)};614 }615616 return $salt;617 }618 break;
File name: libraries/vendor/ircmaxell/password-compat/lib/password.phpCode:
129 $bl = PasswordCompat\binary\_strlen($buffer);130 for ($i = 0; $i < $raw_salt_len; $i++) {131 if ($i < $bl) {132 $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));133 } else {134 $buffer .= chr(mt_rand(0, 255));135 }136 }137 }138 $salt = $buffer;139 $salt_requires_encoding = true;
File name: libraries/vendor/ircmaxell/password-compat/lib/password.phpCode:
127 }128 if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) {129 $bl = PasswordCompat\binary\_strlen($buffer);130 for ($i = 0; $i < $raw_salt_len; $i++) {131 if ($i < $bl) {132 $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));133 } else {134 $buffer .= chr(mt_rand(0, 255));135 }136 }137 }
35 The report on detected vulnerabilities FILES
File name: libraries/vendor/joomla/session/Joomla/Session/Session.phpCode:
842 $token = '';843 $name = session_name();844845 for ($i = 0; $i < $length; ++$i)846 {847 $token .= $chars[(rand(0, $max))];848 }849850 return md5($token . $name);851 }852
File name: modules/mod_random_image/helper.phpCode:
30 {31 $width = $params->get('width');32 $height = $params->get('height');3334 $i = count($images);35 $random = mt_rand(0, $i - 1);36 $image = $images[$random];37 $size = getimagesize(JPATH_BASE . '/' . $image->folder . '/' . $image->name);3839 if ($width == '')40 {
Using Insufficiently Random Generators in Cryptography
Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.
Example 1
Let’s take a look at a function that randomly generates a URL to a page:
Phpfunction genReceiptURL($baseURL) { $randNum = rand(); $receiptURL = $baseURL . $randNum . ".html"; return $receiptURL; }
This method can be used to process a user request to edit account settings. The user sends a password change request, the system sends a link to a generated page to the user’s email address, and the user accesses the password change form on it.
The link is generated based on a random symbol sequence, created by calling the rand function. This function generates predictable pseudorandom numbers, and if the malicious user knows that it is used, he can easily guess the value of the link.
The malicious user can then send a password reset request in the victim’s name, and drop the current password. This lets him steal the victim’s account without first gaining access to it.
36 The report on detected vulnerabilities FILES
Example 2
Let’s take a look at a function that randomly generates a session ID based on the user ID:
Phpfunction generateSessionId( $userId ){ srand( $userId );$randNum = rand();return $randNum;}
Static pseudorandom generators, including rand () used here, work in such a way that a given initial value always leads to the same end value. Since the user ID doesn’t change, the function will always generate the same session ID for this user.
Potential consequences•
If the random numbers are used for defense mechanisms, such as session ID generation or crypto keys, predictable values seriously compromise security. The malicious user can predict the generated value, and get the key value, and gain access to the protected resource.
•If the application uses a random value to generate some resource ID, and the value is easily predictable, the malicious user can access the resource, or replace it with his own copy with a backdoor in it.
•If the authorization and authentication mechanisms are based on using random numbers (such as secret key generation), the malicious user can guess the key value and access protected system modules.
Removal recommendations•
Pseudorandom generators are split into static and cryptographic. We recommend using cryptographic generators, since they generate a pseudorandom sequence that is difficult to predict.
•For crypto purposes, we recommend using random_int(), random_bytes() or openssl_random_pseudo_bytes() [2] functions. They follow the current security standards.
•We recommend looking into using random number generators that use physical models for the generation process, such as atmospheric noise.