Templates pose a security vulnerability
-
-
- Eoin
- Hero Rocketeer
- Posts: 424
- Thanks: 18
-
Hi there,
I ran into some issues with Admin Tools and "unsupported.php" which you need to make an exception in the Admin Tools Web Application Firewall. (just make "unsupported" without quotes an exception). I then realised I'd also have to make "comingsoon" an exception for the new coming soon pages. I haven't found any others yet, but if anyone knows any I'd appreciate a note here for others and a PM to myself
I got into a discussion with Nicholas over at Akeeba Backup about these issues, and there were some problems raised by him with using this methodology. His quote is below:
For what is worth, using a tmpl other than "component" is an abuse of this core Joomla! feature as of Joomla! 2.5 and later. It's not standard to have custom tmpl keywords. This is the kind of information you are supposed to push into the user session, not the URL, for many security and data integrity reasons. Just to give you an idea, if I suspect a site is using a RocketTheme template I will just append &tmpl=unsupported to see if I'm getting the IE6 warning. It does? Cool, it's a RocketTheme template. I can now take a wild guess that the site is using an outdated version of Gantry (RocketTheme's framework) and try some attacks against known vulnerabilities of old versions. Even better, I can cloak myself by making a fake site with links to these URLs that should get the site hacked and have Google scan my site by submitting a sitemap. Google will dully visit those URLs and your site is pwned.
I do update my sites regularly, but I don't really want to get hacked at any point if I can help it. And I am extremely mindful to listen to Nicholas as he is a very knowledgable guy, and well recognised throughout the Joomlaverse. I also can see no reason for him to lie. Is there a way that this can be updated in the future? I know that this will potentially cause issues for old templates etc, but I do think it would be a good thing going forwards.
It might also be worth giving him a consultancy fee to ensure that other good practices are followed, hackable templates are surely going to give you a bad reputation. - Owner of Square Balloon
-
-
-
- Andy Miller
- Preeminent Rocketeer
- Posts: 9919
- Thanks: 96
- Web Kahuna
-
There are many other simpler ways to tell who created a template, and what it's running. Just because we make use of joomla's tmpl mechanism for something other than what the default Joomla templates come with doesn't mean we're doing it the wrong way, actually this is the way your SUPPOSED to implement custom unique layouts in a Joomla template.
The bigger question becomes, what is the security risk/issue with the unsupported.php template? This is just a template file like any other. It could be argued that it's more secure than the default index.php or component.php because it's actually simpler and more locked down. It uses the same Joomla API calls that those others do.
Just because your Admin Tools restricts access to files that it doesn't know about doesn't necessarily mean those other files are insecure. Nicholas knows a lot about Joomla and I respect him for that, but frankly we know a lot more about Templates
-
-
-
- Eoin
- Hero Rocketeer
- Posts: 424
- Thanks: 18
-
I'm not entirely sure this is a template vs extensions/Joomla issue, it's more a security one. It's not a large hole, and I know you can find many other ways to work out where a template is from, CSS classes being one that someone as unknowledgable as I can think of. I'm not sure that being able to find other ways to tell is the point though, just because they exist doesn't mean you should provide additional methods.
I'm sure Nicholas does not mean anything personal towards you guys, he's normally a fairly impartial fellow, and I am certainly very weary of starting any bad blood either way as I respect you both immensely. I left my other template provider to join you guys and have been very happy with the templates and the support that I have received.
It is still information disclosure however, and it could be avoided by having the unsupported script on the index.php page instead of an unsupported page couldn't it? I think the comingsoon page is a good use of the tmpl option. I agree that unsupported.php is not an insecure file, that is my fault for phrasing things badly.
The comingsoon template is a good example of when an exception in Admin Tools is really useful, the feature has been designed for this reason. It's very clear that you can't just blindly switch it on an expect it to protect you. There are loads of settings throughout because of these things.
I'm going to assume that this is a no go area from you guys, and draw a line under the conversation. I hope I haven't pressed anyones buttons, it wasn't my intention, and I don't suppose there's any point in a long drawn out conversation about this if you are not going to make the amendments. I would love to see you discuss it with Nicholas though, I'm sure it could only benefit Rockettheme and make it even better. - Owner of Square Balloon
-
Time to create page: 0.056 seconds