SECURITY AUDIT
[ 26
th
FEBRUARY 2006 ]
A2 BROKEN ACCESS CONTROL
REY GIGATARAS
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
1
TABLE
OF
CONTENTS
Reason Mambo Codebase Was Also Tested
Stage 1 - Data State Setting Check
Item Check – Item State Setting
Item Check – Category State Setting
Item Check – Section State Setting
Category Check – Category State Setting
Category Check – Section State Setting
Section Check – Section State Setting
Stage 2 - Data Access Level Setting Check
Item Check – Item Access Setting
Item Check – Category Access Setting
Item Check – Section Access Setting
Category Check – Category Access Setting 10
Category Check – Section Access Setting 10
Section Check – Section Access Setting 10
Section Item Check – Category Access Setting 11
Stage 3 - Content Items Module State & Access Level Setting Check 12
Item Check – Item State Setting
Item Check – Category State Setting 13
Item Check – Section State Setting 13
Item Check – Item Access Setting 14
Item Check – Category Access Setting 14
Item Check – Section Access Setting 14
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
2
INTRODUCTION
Executive Summary
This Security Audit has discovered 30 Security vulnerabilities within Joomla! core components that allow unwanted viewing
to the data of these components – under the Open Web Application Security Project (OWASP) – this is categorized as an
A2 Broken Access Control Security Vulnerability.
What this vulnerability means is that the data not meant to be viewed is still viewable when they should not be - either
because their state has been set to `unpublished` or that their access level is set higher than `public`. Thus all of these
vulnerabilities are characterized as being Data Viewing Security Vulnerabilities.
It is possible that these vulnerabilities also affect the Mambo 4.5.1 and Mambo 4.5.0 – although no specific tests were
conducted on these codebases.
These security vulnerabilities do NOT mean unauthorized Control or Access of a site can occur.
The latest version
of Joomla! core remains totally secure from site hacking or attempts at unauthorized control.
Scope of Audit
This Security Audit ONLY checks the integrity of data stored in Joomla! Core Components from unwanted viewing.
This unwanted viewing comes in two forms:
-
the state of a data item (or its category/section) is set to `unpublished` but is still accessible
-
the access level of an item (or its category/section) is set to `registered` or `special` but is still accessible for
public visitors
The Core Components are:
-
Content Items & Static Content
-
Contacts
-
Newsfeeds
-
Polls
-
Web Links
The audit was conducted in three (3) phases to ensure all aspects of this issue are properly covered:
Stage 1 The first stage of the audit tests whether unpublished data can be viewed.
Stage 2 The second stage of the audit tests whether registered/special data can be viewed.
Stage 3 The third stage of the audit tests whether the content item modules (mod_newsflash, mod_latestnews,
mod_mostread) properly follow state and access settings.
This audit, does not cover 3
rd
Party addons. The vulnerabilities found within the Core, do not affect 3
rd
Party addons.
However, we encourage all 3
rd
Party developers to audit their own developments in a similar fashion to discover if similar
data viewing vulnerabilities exist within their own applications.
Bug Fixing
In conjunction with the testing, fixes were being devised and committed to the 1.0.x and 1.1.x code base.
So once the audit was completed 1.0.8 Beta would be ready for release to testers. This is indicated in the matrices by the
words `Fixed` and highlighted in blue.
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
3
Testing Details
Testing was conducted across five (5) codebases:
o Joomla! 1.0.7
o Joomla! 1.0.8 SVN
o Joomla! 1.1.0 SVN
o Mambo 4.5.2.3
o Mambo 4.5.3h
As much as possible the tests where conducted on the same sample data across all the code bases – obviously this
was not necessarily possible on the Mambo 4.5.3 which comes with different sample data
The Joomla! testing was conducted on the following WAMP [wampserver] environment:
o Apache 2.0.55
o PHP 4.4.1
o MySQL 5.0.17
The Mambo testing was conducted on the following WAMP [easyphp] environment:
o Apache 1.3.33
o PHP 4.3.10
o MySQL 4.1.9
This was necessary as Mambo had some errors running on the other test environment
SEF was disabled during tests, however, this should not affect results.
Reason Mambo codebase was also tested
Some persons may question why we have included test results from the Mambo codebase in this audit. We assure all, that
there is no malicious intent.
Joomla! is a direct descendent of Mambo 4.5.2.3, thus it was prudent for us to test how far back these vulnerabilities stem,
especially as many Joomla! users may still administer/manage Mambo sites.
In regards to Mambo 4.5.3h, as this codebase is a close variant of Mambo 4.5.2.3 (with only 70 or so listed minor changes),
it seemed prudent to also test this codebase.
History
Shortly after the public release of Joomla! 1.0.7, a public discussion on the Joomla! forums reported that Poll data was
visible or accessible despite being Unpublished - it was also mentioned that other unpublished core data may also be visible.
A quick check of Joomla! 1.0.7 by the Stability Team verified the vulnerability within the core Poll Component and also
within other Core Components.
To properly investigate the matter and to ensure there weren’t other similar vulnerabilities within the Joomla! core code base
this Security Audit was instituted.
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
4
SECURITY AUDIT
STAGE 1
DATA STATE SETTING CHECK
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
5
Item Check – Item State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Safe
Safe
Safe
Safe
Static Content
Safe
Safe
Safe
Safe
Contacts
Safe
Safe
Safe
Safe
Newsfeeds
Safe
Safe *
Safe *
Safe *
Polls
Fixed
Vulnerable
Vulnerable
Vulnerable
Weblinks
Fixed
Vulnerable
Vulnerable
Vulnerable
Testing methodology :
View a direct link to the data when `published`
Then attempt to repeat with the item `unpublished`
* Displays blank page – rather than an unauthorized access page
Indicates a change/fix made
Item Check – Category State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Safe
Safe
Vulnerable
Vulnerable
Contacts
Safe
Safe*
Error**
Error**
Newsfeeds
Fixed
Vulnerable
Vulnerable
Vulnerable
Weblinks
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the data when `published`
Then attempt to repeat with the items category `unpublished`
* Displays ‘no contact listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made
Item Check – Section State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Safe
Safe
Vulnerable
Vulnerable
Check conducted :
View a direct link to the data when `published`
Then attempt to repeat with the items section `unpublished`
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
6
Category Check – Category State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Table View
Fixed
Vulnerable
Vulnerable
Vulnerable
Content
Blog View
Safe
Safe*
Vulnerable
Vulnerable
Contacts
Fixed
Vulnerable
Vulnerable
Vulnerable
Newsfeeds
Fixed
Vulnerable
Vulnerable
Vulnerable
Weblinks
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the category when the category is `published`
Then attempt to repeat with the category `unpublished`
Legend :
* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made
Category Check – Section State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Table View
Fixed
Vulnerable
Vulnerable
Vulnerable
Content
Blog View
Safe
Safe*
Vulnerable
Vulnerable
Check conducted :
View a direct link to the category when the section is `published`
Then attempt to repeat with the section `unpublished`
Legend :
Indicates a change/fix made
Section Check – Section State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
List View
Fixed
Vulnerable
Vulnerable
Vulnerable
Content
Blog View
Safe
Safe*
Vulnerable
Vulnerable
Check conducted :
View a direct link to the category when the section is `published`
Then attempt to repeat with the section `unpublished`
Legend :
Indicates a change/fix made
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
7
Syndication Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Syndication
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
Attempt to view a syndicated link when mod_rssfeed is not published
Legend :
Indicates a change/fix made
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
8
SECURITY AUDIT
STAGE 2
DATA ACCESS LEVEL SETTING
CHECK
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
9
Item Check – Item Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Safe
Safe
Safe
Safe
Static Content
Safe
Safe
Safe
Safe
Contacts
Safe
Safe
Safe
Safe
Polls
No interface to control access, even though table field exists*
Check conducted :
View a direct link to the data when access set to `public`
Then attempt to repeat with the item access set to `registered` and then ‘special’
Legend :
* 1.1.0 now supports the ability to set access control
Indicates a change/fix made
Item Check – Category Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Fixed
Vulnerable
Vulnerable
Vulnerable
Contacts
Safe
Safe*
Error**
Error**
Newsfeeds
Fixed
Vulnerable
Vulnerable
Vulnerable
Weblinks
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the data when access set to `public`
Then attempt to repeat with the category access set to `registered` and then ‘special’
Legend :
* Displays ‘There are no Contact Details listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made
Item Check – Section Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the data when access set to `public`
Then attempt to repeat with the section access set to `registered` and then ‘special’
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
10
Category Check – Category Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Table View
Fixed
Vulnerable*
Vulnerable*
Vulnerable*
Content
Blog View
Fixed
Vulnerable
Vulnerable
Vulnerable
Contacts
Fixed
Vulnerable
Vulnerable
Vulnerable
Newsfeeds
Fixed
Vulnerable
Vulnerable
Vulnerable
Weblinks
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the category when the category is set to `public`
Then attempt to repeat with the category access set to `registered` and then ‘special’
Legend :
* Category information shown, however category table not visible – in this regard this is not a true vulnerability
Indicates a change/fix made
Category Check – Section Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Table View
Fixed
Vulnerable
Vulnerable
Vulnerable
Content
Blog View
Safe
Safe*
Safe*
Safe*
Check conducted :
View a direct link to the category when the category is set to `public`
Then attempt to repeat with the section access set to `registered` and then ‘special’
Legend :
* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made
Section Check – Section Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Table View
Fixed
Vulnerable
Vulnerable
Vulnerable
Content
Blog View
Fixed
Safe*
Safe*
Safe*
Check conducted :
View a direct link to the category when the category is set to `public`
Then attempt to repeat with the category access set to `registered` and then ‘special’
Legend :
* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
11
Section Item Check – Category Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
Content
Blog View
Fixed
Vulnerable
Vulnerable
Vulnerable
Check conducted :
View a direct link to the Blog - Content Section when the category is set to `public`
Then attempt to repeat with the category access set to `registered` and then ‘special’
Legend :
Indicates a change/fix made
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
12
SECURITY AUDIT
STAGE 3
CONTENT ITEMS MODULE
STATE & ACCESS LEVEL SETTING
CHECK
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
13
Item Check – Item State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Safe
Safe
Safe
Safe
mod_mostread
Safe
Safe
Safe
Safe
mod_newsflash
Safe
Safe
Safe
Safe
Testing methodology :
View modules when` Content Items` `published`
Then view again with the items `unpublished`
Item Check – Category State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Safe
Safe
Vulnerable
Vulnerable
mod_mostread
Safe
Safe
Vulnerable
Vulnerable
mod_newsflash
Fixed
Vulnerable
Vulnerable
Vulnerable
Testing methodology :
View modules when `Content Items` Category `published`
Then view again with the items Category `unpublished`
Legend :
Indicates a change/fix made
Item Check – Section State setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Safe
Safe
Vulnerable
Vulnerable
mod_mostread
Safe
Safe
Vulnerable
Vulnerable
mod_newsflash
Fixed
Vulnerable
Vulnerable
Vulnerable
Testing methodology :
View modules when `Content Items` Section `published`
Then view again with the items Section `unpublished`
Legend :
Indicates a change/fix made
Joomla!
SECURITY AUDIT
26 February 2006
Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc
14
Item Check – Item Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Safe
Safe
Safe
Safe
mod_mostread
Safe
Safe
Safe
Safe
mod_newsflash
Safe
Safe
Safe
Safe
Testing methodology :
View modules when `Content Items` access set to `public`
Then view again with the items access set to `registered` and then ‘special’
Item Check – Category Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Fixed
Vulnerable
Vulnerable
Vulnerable
mod_mostread
Fixed
Vulnerable
Vulnerable
Vulnerable
mod_newsflash
Safe
Safe
Safe
Safe
Testing methodology :
View modules when `Content Items` Category access set to `public`
Then view again with the items Category access set to `registered` and then ‘special’
Legend :
Indicates a change/fix made
Item Check – Section Access setting
1.0.8 & 1.1.x
1.0.7
4.5.2.3
4.5.3h
mod_latestnews
Fixed
Vulnerable
Vulnerable
Vulnerable
mod_mostread
Fixed
Vulnerable
Vulnerable
Vulnerable
mod_newsflash
Fixed
Vulnerable
Vulnerable
Vulnerable
Testing methodology :
View modules when `Content Items` Section access set to `public`
Then view again with the items Section access set to `registered` and then ‘special’
Legend :
Indicates a change/fix made