Joomla! Security Audit A2 Broken Access Control [26 Feb 06]

background image


SECURITY AUDIT



[ 26

th

FEBRUARY 2006 ]


A2 BROKEN ACCESS CONTROL




REY GIGATARAS

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

1

TABLE

OF

CONTENTS



Introduction

2

Executive Summary

2

Scope Of Audit

2

Bug Fixing

2

Testing Details

3

Reason Mambo Codebase Was Also Tested

3

History

3




Stage 1 - Data State Setting Check

4

Item Check – Item State Setting

5

Item Check – Category State Setting

5

Item Check – Section State Setting

5

Category Check – Category State Setting

6

Category Check – Section State Setting

6

Section Check – Section State Setting

6

Syndication Access Setting

7




Stage 2 - Data Access Level Setting Check

8

Item Check – Item Access Setting

9

Item Check – Category Access Setting

9

Item Check – Section Access Setting

9

Category Check – Category Access Setting 10

Category Check – Section Access Setting 10

Section Check – Section Access Setting 10

Section Item Check – Category Access Setting 11




Stage 3 - Content Items Module State & Access Level Setting Check 12

Item Check – Item State Setting

13

Item Check – Category State Setting 13

Item Check – Section State Setting 13

Item Check – Item Access Setting 14

Item Check – Category Access Setting 14

Item Check – Section Access Setting 14



background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

2

INTRODUCTION


Executive Summary


This Security Audit has discovered 30 Security vulnerabilities within Joomla! core components that allow unwanted viewing

to the data of these components – under the Open Web Application Security Project (OWASP) – this is categorized as an
A2 Broken Access Control Security Vulnerability.


What this vulnerability means is that the data not meant to be viewed is still viewable when they should not be - either

because their state has been set to `unpublished` or that their access level is set higher than `public`. Thus all of these
vulnerabilities are characterized as being Data Viewing Security Vulnerabilities.


It is possible that these vulnerabilities also affect the Mambo 4.5.1 and Mambo 4.5.0 – although no specific tests were

conducted on these codebases.

These security vulnerabilities do NOT mean unauthorized Control or Access of a site can occur.

The latest version

of Joomla! core remains totally secure from site hacking or attempts at unauthorized control.



Scope of Audit


This Security Audit ONLY checks the integrity of data stored in Joomla! Core Components from unwanted viewing.


This unwanted viewing comes in two forms:

-

the state of a data item (or its category/section) is set to `unpublished` but is still accessible

-

the access level of an item (or its category/section) is set to `registered` or `special` but is still accessible for

public visitors

The Core Components are:

-

Content Items & Static Content

-

Contacts

-

Newsfeeds

-

Polls

-

Web Links


The audit was conducted in three (3) phases to ensure all aspects of this issue are properly covered:

Stage 1 The first stage of the audit tests whether unpublished data can be viewed.

Stage 2 The second stage of the audit tests whether registered/special data can be viewed.

Stage 3 The third stage of the audit tests whether the content item modules (mod_newsflash, mod_latestnews,

mod_mostread) properly follow state and access settings.

This audit, does not cover 3

rd

Party addons. The vulnerabilities found within the Core, do not affect 3

rd

Party addons.

However, we encourage all 3

rd

Party developers to audit their own developments in a similar fashion to discover if similar

data viewing vulnerabilities exist within their own applications.

Bug Fixing

In conjunction with the testing, fixes were being devised and committed to the 1.0.x and 1.1.x code base.
So once the audit was completed 1.0.8 Beta would be ready for release to testers. This is indicated in the matrices by the

words `Fixed` and highlighted in blue.

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

3

Testing Details

ƒ

Testing was conducted across five (5) codebases:

o Joomla! 1.0.7

o Joomla! 1.0.8 SVN

o Joomla! 1.1.0 SVN

o Mambo 4.5.2.3

o Mambo 4.5.3h


ƒ

As much as possible the tests where conducted on the same sample data across all the code bases – obviously this

was not necessarily possible on the Mambo 4.5.3 which comes with different sample data

ƒ

The Joomla! testing was conducted on the following WAMP [wampserver] environment:

o Apache 2.0.55

o PHP 4.4.1

o MySQL 5.0.17

ƒ

The Mambo testing was conducted on the following WAMP [easyphp] environment:

o Apache 1.3.33

o PHP 4.3.10

o MySQL 4.1.9

This was necessary as Mambo had some errors running on the other test environment

ƒ

SEF was disabled during tests, however, this should not affect results.



Reason Mambo codebase was also tested


Some persons may question why we have included test results from the Mambo codebase in this audit. We assure all, that

there is no malicious intent.

Joomla! is a direct descendent of Mambo 4.5.2.3, thus it was prudent for us to test how far back these vulnerabilities stem,
especially as many Joomla! users may still administer/manage Mambo sites.


In regards to Mambo 4.5.3h, as this codebase is a close variant of Mambo 4.5.2.3 (with only 70 or so listed minor changes),

it seemed prudent to also test this codebase.

History

Shortly after the public release of Joomla! 1.0.7, a public discussion on the Joomla! forums reported that Poll data was
visible or accessible despite being Unpublished - it was also mentioned that other unpublished core data may also be visible.


A quick check of Joomla! 1.0.7 by the Stability Team verified the vulnerability within the core Poll Component and also

within other Core Components.

To properly investigate the matter and to ensure there weren’t other similar vulnerabilities within the Joomla! core code base
this Security Audit was instituted.


background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

4





SECURITY AUDIT



STAGE 1

DATA STATE SETTING CHECK


background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

5

Item Check – Item State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Safe

Safe

Safe

Static Content

Safe

Safe

Safe

Safe

Contacts

Safe

Safe

Safe

Safe

Newsfeeds

Safe

Safe *

Safe *

Safe *

Polls

Fixed

Vulnerable

Vulnerable

Vulnerable

Weblinks

Fixed

Vulnerable

Vulnerable

Vulnerable


Testing methodology :

ƒ

View a direct link to the data when `published`

ƒ

Then attempt to repeat with the item `unpublished`

* Displays blank page – rather than an unauthorized access page
Indicates a change/fix made


Item Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Safe

Vulnerable

Vulnerable

Contacts

Safe

Safe*

Error**

Error**

Newsfeeds

Fixed

Vulnerable

Vulnerable

Vulnerable

Weblinks

Fixed

Vulnerable

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the data when `published`

ƒ

Then attempt to repeat with the items category `unpublished`

* Displays ‘no contact listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made


Item Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Safe

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the data when `published`

ƒ

Then attempt to repeat with the items section `unpublished`

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

6


Category Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Vulnerable

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Vulnerable

Contacts

Fixed

Vulnerable

Vulnerable

Vulnerable

Newsfeeds

Fixed

Vulnerable

Vulnerable

Vulnerable

Weblinks

Fixed

Vulnerable

Vulnerable

Vulnerable


Check conducted :

ƒ

View a direct link to the category when the category is `published`

ƒ

Then attempt to repeat with the category `unpublished`

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made


Category Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Vulnerable

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the category when the section is `published`

ƒ

Then attempt to repeat with the section `unpublished`

Legend :

Indicates a change/fix made


Section Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

List View

Fixed

Vulnerable

Vulnerable

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the category when the section is `published`

ƒ

Then attempt to repeat with the section `unpublished`


Legend :

Indicates a change/fix made


background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

7


Syndication Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Syndication

Fixed

Vulnerable

Vulnerable

Vulnerable

Check conducted :
ƒ

Attempt to view a syndicated link when mod_rssfeed is not published

Legend :

Indicates a change/fix made


background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

8





SECURITY AUDIT



STAGE 2

DATA ACCESS LEVEL SETTING

CHECK

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

9


Item Check – Item Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Safe

Safe

Safe

Static Content

Safe

Safe

Safe

Safe

Contacts

Safe

Safe

Safe

Safe

Polls

No interface to control access, even though table field exists*

Check conducted :
ƒ

View a direct link to the data when access set to `public`

ƒ

Then attempt to repeat with the item access set to `registered` and then ‘special’

Legend :

* 1.1.0 now supports the ability to set access control
Indicates a change/fix made


Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Fixed

Vulnerable

Vulnerable

Vulnerable

Contacts

Safe

Safe*

Error**

Error**

Newsfeeds

Fixed

Vulnerable

Vulnerable

Vulnerable

Weblinks

Fixed

Vulnerable

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the data when access set to `public`

ƒ

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no Contact Details listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made


Item Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Fixed

Vulnerable

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the data when access set to `public`

ƒ

Then attempt to repeat with the section access set to `registered` and then ‘special’

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

10


Category Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable*

Vulnerable*

Vulnerable*

Content

Blog View

Fixed

Vulnerable

Vulnerable

Vulnerable

Contacts

Fixed

Vulnerable

Vulnerable

Vulnerable

Newsfeeds

Fixed

Vulnerable

Vulnerable

Vulnerable

Weblinks

Fixed

Vulnerable

Vulnerable

Vulnerable


Check conducted :

ƒ

View a direct link to the category when the category is set to `public`

ƒ

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Category information shown, however category table not visible – in this regard this is not a true vulnerability
Indicates a change/fix made


Category Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Vulnerable

Vulnerable

Content

Blog View

Safe

Safe*

Safe*

Safe*

Check conducted :
ƒ

View a direct link to the category when the category is set to `public`

ƒ

Then attempt to repeat with the section access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made


Section Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Vulnerable

Vulnerable

Content

Blog View

Fixed

Safe*

Safe*

Safe*

Check conducted :
ƒ

View a direct link to the category when the category is set to `public`

ƒ

Then attempt to repeat with the category access set to `registered` and then ‘special’


Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

11


Section Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Blog View

Fixed

Vulnerable

Vulnerable

Vulnerable

Check conducted :
ƒ

View a direct link to the Blog - Content Section when the category is set to `public`

ƒ

Then attempt to repeat with the category access set to `registered` and then ‘special’


Legend :

Indicates a change/fix made





background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

12



SECURITY AUDIT



STAGE 3

CONTENT ITEMS MODULE

STATE & ACCESS LEVEL SETTING

CHECK









background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

13

Item Check – Item State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Safe

Safe

Safe

mod_mostread

Safe

Safe

Safe

Safe

mod_newsflash

Safe

Safe

Safe

Safe

Testing methodology :
ƒ

View modules when` Content Items` `published`

ƒ

Then view again with the items `unpublished`

Item Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Safe

Vulnerable

Vulnerable

mod_mostread

Safe

Safe

Vulnerable

Vulnerable

mod_newsflash

Fixed

Vulnerable

Vulnerable

Vulnerable

Testing methodology :
ƒ

View modules when `Content Items` Category `published`

ƒ

Then view again with the items Category `unpublished`

Legend :

Indicates a change/fix made

Item Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Safe

Vulnerable

Vulnerable

mod_mostread

Safe

Safe

Vulnerable

Vulnerable

mod_newsflash

Fixed

Vulnerable

Vulnerable

Vulnerable

Testing methodology :
ƒ

View modules when `Content Items` Section `published`

ƒ

Then view again with the items Section `unpublished`

Legend :

Indicates a change/fix made

background image

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

14

Item Check – Item Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Safe

Safe

Safe

mod_mostread

Safe

Safe

Safe

Safe

mod_newsflash

Safe

Safe

Safe

Safe

Testing methodology :
ƒ

View modules when `Content Items` access set to `public`

ƒ

Then view again with the items access set to `registered` and then ‘special’

Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Fixed

Vulnerable

Vulnerable

Vulnerable

mod_mostread

Fixed

Vulnerable

Vulnerable

Vulnerable

mod_newsflash

Safe

Safe

Safe

Safe

Testing methodology :
ƒ

View modules when `Content Items` Category access set to `public`

ƒ

Then view again with the items Category access set to `registered` and then ‘special’

Legend :

Indicates a change/fix made

Item Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Fixed

Vulnerable

Vulnerable

Vulnerable

mod_mostread

Fixed

Vulnerable

Vulnerable

Vulnerable

mod_newsflash

Fixed

Vulnerable

Vulnerable

Vulnerable

Testing methodology :
ƒ

View modules when `Content Items` Section access set to `public`

ƒ

Then view again with the items Section access set to `registered` and then ‘special’

Legend :

Indicates a change/fix made



Wyszukiwarka

Podobne podstrony:
All About Access Control Lists
Controlling, podstawy controllingu (26 str)
2007 09 Access Control List (ACL) – dostęp do obiektów NET
2009 05 Fine Grained Access Control
System bezpieczeństwa dla komputerów osobistych ( DACS for Windows 95 Data Access Control System)
Przetwarzanie potokowe 26.10.06, materiały edukacyjne, SOISK(sys operacyjne i sieci komp )
bundesministerium access blocking 19 feb 2009
zgłoszenie 08 rosa O 05 26 07 06 08
5.Zarządzanie Jakością - Wykład 26.01.2013 - Audit, Zarządzanie UG, Sem. III, Zarządzanie jakością
26 Shopping Broken zip7A
controlling finansowy - wykład 2 - 26.11.2011
Controlling, controling wykłady (26 str), Wykład I 14
PJM Poziom A2 Strona 26
PJM Poziom A2 Strona 26

więcej podobnych podstron