SECURITY AUDIT - Darmowe ebooki · of Joomla! core remains totally secure from site hacking or...

SECURITY AUDIT

[ 26th FEBRUARY 2006 ]

A2 BROKEN ACCESS CONTROL

REY GIGATARAS

Joomla! SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc 1

TABLE OF CONTENTS Introduction 2

Executive Summary 2 Scope Of Audit 2 Bug Fixing 2 Testing Details 3 Reason Mambo Codebase Was Also Tested 3 History 3

Stage 1 - Data State Setting Check 4

Item Check – Item State Setting 5 Item Check – Category State Setting 5 Item Check – Section State Setting 5 Category Check – Category State Setting 6 Category Check – Section State Setting 6 Section Check – Section State Setting 6 Syndication Access Setting 7

Stage 2 - Data Access Level Setting Check 8

Item Check – Item Access Setting 9 Item Check – Category Access Setting 9 Item Check – Section Access Setting 9 Category Check – Category Access Setting 10 Category Check – Section Access Setting 10 Section Check – Section Access Setting 10 Section Item Check – Category Access Setting 11

Stage 3 - Content Items Module State & Access Level Setting Check 12

Item Check – Item State Setting 13 Item Check – Category State Setting 13 Item Check – Section State Setting 13 Item Check – Item Access Setting 14 Item Check – Category Access Setting 14 Item Check – Section Access Setting 14


26 February 2006


INTRODUCTION Executive Summary This Security Audit has discovered 30 Security vulnerabilities within Joomla! core components that allow unwanted viewing to the data of these components – under the Open Web Application Security Project (OWASP) – this is categorized as an A2 Broken Access Control Security Vulnerability. What this vulnerability means is that the data not meant to be viewed is still viewable when they should not be - either because their state has been set to `unpublished` or that their access level is set higher than `public`. Thus all of these vulnerabilities are characterized as being Data Viewing Security Vulnerabilities. It is possible that these vulnerabilities also affect the Mambo 4.5.1 and Mambo 4.5.0 – although no specific tests were conducted on these codebases. These security vulnerabilities do NOT mean unauthorized Control or Access of a site can occur. The latest version of Joomla! core remains totally secure from site hacking or attempts at unauthorized control.

Scope of Audit This Security Audit ONLY checks the integrity of data stored in Joomla! Core Components from unwanted viewing. This unwanted viewing comes in two forms:

- the state of a data item (or its category/section) is set to `unpublished` but is still accessible - the access level of an item (or its category/section) is set to `registered` or `special` but is still accessible for

public visitors The Core Components are:

- Content Items & Static Content - Contacts - Newsfeeds - Polls - Web Links

The audit was conducted in three (3) phases to ensure all aspects of this issue are properly covered:

Stage 1 The first stage of the audit tests whether unpublished data can be viewed.

Stage 2 The second stage of the audit tests whether registered/special data can be viewed.

Stage 3 The third stage of the audit tests whether the content item modules (mod_newsflash, mod_latestnews, mod_mostread) properly follow state and access settings.

This audit, does not cover 3rd Party addons. The vulnerabilities found within the Core, do not affect 3rd Party addons. However, we encourage all 3rd Party developers to audit their own developments in a similar fashion to discover if similar data viewing vulnerabilities exist within their own applications.

Bug Fixing In conjunction with the testing, fixes were being devised and committed to the 1.0.x and 1.1.x code base. So once the audit was completed 1.0.8 Beta would be ready for release to testers. This is indicated in the matrices by the words `Fixed` and highlighted in blue.


26 February 2006


Testing Details

Testing was conducted across five (5) codebases: o Joomla! 1.0.7 o Joomla! 1.0.8 SVN o Joomla! 1.1.0 SVN o Mambo 4.5.2.3 o Mambo 4.5.3h

As much as possible the tests where conducted on the same sample data across all the code bases – obviously this

was not necessarily possible on the Mambo 4.5.3 which comes with different sample data

The Joomla! testing was conducted on the following WAMP [wampserver] environment: o Apache 2.0.55 o PHP 4.4.1 o MySQL 5.0.17

The Mambo testing was conducted on the following WAMP [easyphp] environment: o Apache 1.3.33 o PHP 4.3.10 o MySQL 4.1.9

This was necessary as Mambo had some errors running on the other test environment

SEF was disabled during tests, however, this should not affect results.

Reason Mambo codebase was also tested Some persons may question why we have included test results from the Mambo codebase in this audit. We assure all, that there is no malicious intent. Joomla! is a direct descendent of Mambo 4.5.2.3, thus it was prudent for us to test how far back these vulnerabilities stem, especially as many Joomla! users may still administer/manage Mambo sites. In regards to Mambo 4.5.3h, as this codebase is a close variant of Mambo 4.5.2.3 (with only 70 or so listed minor changes), it seemed prudent to also test this codebase.

History Shortly after the public release of Joomla! 1.0.7, a public discussion on the Joomla! forums reported that Poll data was visible or accessible despite being Unpublished - it was also mentioned that other unpublished core data may also be visible. A quick check of Joomla! 1.0.7 by the Stability Team verified the vulnerability within the core Poll Component and also within other Core Components. To properly investigate the matter and to ensure there weren’t other similar vulnerabilities within the Joomla! core code base this Security Audit was instituted.


26 February 2006


SECURITY AUDIT

STAGE 1

DATA STATE SETTING CHECK


26 February 2006


Item Check – Item State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Safe Safe Safe Safe

Static Content Safe Safe Safe Safe

Contacts Safe Safe Safe Safe

Newsfeeds Safe Safe * Safe * Safe *

Polls Fixed Vulnerable Vulnerable Vulnerable

Weblinks Fixed Vulnerable Vulnerable Vulnerable Testing methodology : View a direct link to the data when `published` Then attempt to repeat with the item ùnpublished`

* Displays blank page – rather than an unauthorized access page Indicates a change/fix made

Item Check – Category State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Safe Safe Vulnerable Vulnerable

Contacts Safe Safe* Error** Error**

Newsfeeds Fixed Vulnerable Vulnerable Vulnerable

Weblinks Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the data when `published` Then attempt to repeat with the items category ùnpublished`

* Displays ‘no contact listed’ – rather than an unauthorized access page ** Error message in affect disables access to this page closing the security hole Indicates a change/fix made

Item Check – Section State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Safe Safe Vulnerable Vulnerable Check conducted : View a direct link to the data when `published` Then attempt to repeat with the items section ùnpublished`


26 February 2006


Category Check – Category State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Table View Fixed Vulnerable Vulnerable Vulnerable Content

Blog View Safe Safe* Vulnerable Vulnerable

Contacts Fixed Vulnerable Vulnerable Vulnerable


Weblinks Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the category when the category is `published` Then attempt to repeat with the category ùnpublished`

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page Indicates a change/fix made

Category Check – Section State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h


Blog View Safe Safe* Vulnerable Vulnerable Check conducted : View a direct link to the category when the section is `published` Then attempt to repeat with the section ùnpublished`

Legend :

Indicates a change/fix made

Section Check – Section State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

List View Fixed Vulnerable Vulnerable Vulnerable Content

Blog View Safe Safe* Vulnerable Vulnerable Check conducted : View a direct link to the category when the section is `published` Then attempt to repeat with the section ùnpublished`

Legend :



26 February 2006


Syndication Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Syndication Fixed Vulnerable Vulnerable Vulnerable Check conducted : Attempt to view a syndicated link when mod_rssfeed is not published

Legend :



26 February 2006


SECURITY AUDIT

STAGE 2

DATA ACCESS LEVEL SETTING CHECK


26 February 2006


Item Check – Item Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Safe Safe Safe Safe

Static Content Safe Safe Safe Safe

Contacts Safe Safe Safe Safe

Polls No interface to control access, even though table field exists* Check conducted : View a direct link to the data when access set to `public` Then attempt to repeat with the item access set to `registered` and then ‘special’

Legend :

* 1.1.0 now supports the ability to set access control Indicates a change/fix made

Item Check – Category Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Fixed Vulnerable Vulnerable Vulnerable

Contacts Safe Safe* Error** Error**


Weblinks Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the data when access set to `public` Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no Contact Details listed’ – rather than an unauthorized access page ** Error message in affect disables access to this page closing the security hole Indicates a change/fix made

Item Check – Section Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the data when access set to `public` Then attempt to repeat with the section access set to `registered` and then ‘special’


26 February 2006


Category Check – Category Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Table View Fixed Vulnerable* Vulnerable* Vulnerable* Content

Blog View Fixed Vulnerable Vulnerable Vulnerable

Contacts Fixed Vulnerable Vulnerable Vulnerable


Weblinks Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the category when the category is set to `public` Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Category information shown, however category table not visible – in this regard this is not a true vulnerability Indicates a change/fix made

Category Check – Section Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h


Blog View Safe Safe* Safe* Safe* Check conducted : View a direct link to the category when the category is set to `public` Then attempt to repeat with the section access set to `registered` and then ‘special’

Legend :


Section Check – Section Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h


Blog View Fixed Safe* Safe* Safe* Check conducted : View a direct link to the category when the category is set to `public` Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :



26 February 2006


Section Item Check – Category Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

Content Blog View Fixed Vulnerable Vulnerable Vulnerable Check conducted : View a direct link to the Blog - Content Section when the category is set to `public` Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :



26 February 2006


SECURITY AUDIT

STAGE 3

CONTENT ITEMS MODULE STATE & ACCESS LEVEL SETTING

CHECK


26 February 2006


Item Check – Item State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Safe Safe Safe Safe

mod_mostread Safe Safe Safe Safe

mod_newsflash Safe Safe Safe Safe Testing methodology : View modules when` Content Items` `published` Then view again with the items ùnpublished`

Item Check – Category State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Safe Safe Vulnerable Vulnerable

mod_mostread Safe Safe Vulnerable Vulnerable

mod_newsflash Fixed Vulnerable Vulnerable Vulnerable Testing methodology : View modules when `Content Items` Category `published` Then view again with the items Category ùnpublished`

Legend :


Item Check – Section State setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Safe Safe Vulnerable Vulnerable

mod_mostread Safe Safe Vulnerable Vulnerable

mod_newsflash Fixed Vulnerable Vulnerable Vulnerable Testing methodology : View modules when `Content Items` Section `published` Then view again with the items Section ùnpublished`

Legend :



26 February 2006


Item Check – Item Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Safe Safe Safe Safe

mod_mostread Safe Safe Safe Safe

mod_newsflash Safe Safe Safe Safe Testing methodology : View modules when `Content Items` access set to `public` Then view again with the items access set to `registered` and then ‘special’

Item Check – Category Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Fixed Vulnerable Vulnerable Vulnerable

mod_mostread Fixed Vulnerable Vulnerable Vulnerable

mod_newsflash Safe Safe Safe Safe Testing methodology : View modules when `Content Items` Category access set to `public` Then view again with the items Category access set to `registered` and then ‘special’

Legend :


Item Check – Section Access setting

1.0.8 & 1.1.x 1.0.7 4.5.2.3 4.5.3h

mod_latestnews Fixed Vulnerable Vulnerable Vulnerable

mod_mostread Fixed Vulnerable Vulnerable Vulnerable

mod_newsflash Fixed Vulnerable Vulnerable Vulnerable Testing methodology : View modules when `Content Items` Section access set to `public` Then view again with the items Section access set to `registered` and then ‘special’

Legend :


SECURITY AUDIT - Darmowe ebooki · of Joomla! core remains totally secure from site hacking or...

Documents

Transcript of SECURITY AUDIT - Darmowe ebooki · of Joomla! core remains totally secure from site hacking or...