COMPONENTS

SECURITY AUDIT

[ 26

FEBRUARY 2006 ]

A2 BROKEN ACCESS CONTROL

REY GIGATARAS

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

INTRODUCTION

Executive Summary

This Security Audit has discovered 30 Security vulnerabilities within Joomla! core components that allow unwanted viewing

to the data of these components – under the Open Web Application Security Project (OWASP) – this is categorized as an
A2 Broken Access Control Security Vulnerability.

What this vulnerability means is that the data not meant to be viewed is still viewable when they should not be - either

because their state has been set to `unpublished` or that their access level is set higher than `public`. Thus all of these
vulnerabilities are characterized as being Data Viewing Security Vulnerabilities.

It is possible that these vulnerabilities also affect the Mambo 4.5.1 and Mambo 4.5.0 – although no specific tests were

conducted on these codebases.

These security vulnerabilities do NOT mean unauthorized Control or Access of a site can occur.

The latest version

of Joomla! core remains totally secure from site hacking or attempts at unauthorized control.

Scope of Audit

This Security Audit ONLY checks the integrity of data stored in Joomla! Core Components from unwanted viewing.

This unwanted viewing comes in two forms:

the state of a data item (or its category/section) is set to `unpublished` but is still accessible

the access level of an item (or its category/section) is set to `registered` or `special` but is still accessible for

public visitors

The Core Components are:

Content Items & Static Content

Contacts

Newsfeeds

Polls

Web Links

The audit was conducted in three (3) phases to ensure all aspects of this issue are properly covered:

Stage 1 The first stage of the audit tests whether unpublished data can be viewed.

Stage 2 The second stage of the audit tests whether registered/special data can be viewed.

Stage 3 The third stage of the audit tests whether the content item modules (mod_newsflash, mod_latestnews,

mod_mostread) properly follow state and access settings.

This audit, does not cover 3

Party addons. The vulnerabilities found within the Core, do not affect 3

Party addons.

However, we encourage all 3

Party developers to audit their own developments in a similar fashion to discover if similar

data viewing vulnerabilities exist within their own applications.

Bug Fixing

In conjunction with the testing, fixes were being devised and committed to the 1.0.x and 1.1.x code base.
So once the audit was completed 1.0.8 Beta would be ready for release to testers. This is indicated in the matrices by the

words `Fixed` and highlighted in blue.

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Testing Details

Testing was conducted across five (5) codebases:

o Joomla! 1.0.7

o Joomla! 1.0.8 SVN

o Joomla! 1.1.0 SVN

o Mambo 4.5.2.3

o Mambo 4.5.3h

As much as possible the tests where conducted on the same sample data across all the code bases – obviously this

was not necessarily possible on the Mambo 4.5.3 which comes with different sample data

The Joomla! testing was conducted on the following WAMP [wampserver] environment:

o Apache 2.0.55

o PHP 4.4.1

o MySQL 5.0.17

The Mambo testing was conducted on the following WAMP [easyphp] environment:

o Apache 1.3.33

o PHP 4.3.10

o MySQL 4.1.9

This was necessary as Mambo had some errors running on the other test environment

SEF was disabled during tests, however, this should not affect results.

Reason Mambo codebase was also tested

Some persons may question why we have included test results from the Mambo codebase in this audit. We assure all, that

there is no malicious intent.

Joomla! is a direct descendent of Mambo 4.5.2.3, thus it was prudent for us to test how far back these vulnerabilities stem,
especially as many Joomla! users may still administer/manage Mambo sites.

In regards to Mambo 4.5.3h, as this codebase is a close variant of Mambo 4.5.2.3 (with only 70 or so listed minor changes),

it seemed prudent to also test this codebase.

History

Shortly after the public release of Joomla! 1.0.7, a public discussion on the Joomla! forums reported that Poll data was
visible or accessible despite being Unpublished - it was also mentioned that other unpublished core data may also be visible.

A quick check of Joomla! 1.0.7 by the Stability Team verified the vulnerability within the core Poll Component and also

within other Core Components.

To properly investigate the matter and to ensure there weren’t other similar vulnerabilities within the Joomla! core code base
this Security Audit was instituted.

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Item Check – Item State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Static Content

Safe

Contacts

Safe

Newsfeeds

Safe

Safe *

Polls

Fixed

Vulnerable

Weblinks

Fixed

Vulnerable

Testing methodology :

View a direct link to the data when `published`

Then attempt to repeat with the item `unpublished`

* Displays blank page – rather than an unauthorized access page
Indicates a change/fix made

Item Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Vulnerable

Contacts

Safe

Safe*

Error**

Newsfeeds

Fixed

Vulnerable

Weblinks

Fixed

Vulnerable

Check conducted :

View a direct link to the data when `published`

Then attempt to repeat with the items category `unpublished`

* Displays ‘no contact listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made

Item Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Vulnerable

Check conducted :

View a direct link to the data when `published`

Then attempt to repeat with the items section `unpublished`

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Category Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Contacts

Fixed

Vulnerable

Newsfeeds

Fixed

Vulnerable

Weblinks

Fixed

Vulnerable

Check conducted :

View a direct link to the category when the category is `published`

Then attempt to repeat with the category `unpublished`

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made

Category Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Check conducted :

View a direct link to the category when the section is `published`

Then attempt to repeat with the section `unpublished`

Legend :

Indicates a change/fix made

Section Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

List View

Fixed

Vulnerable

Content

Blog View

Safe

Safe*

Vulnerable

Check conducted :

View a direct link to the category when the section is `published`

Then attempt to repeat with the section `unpublished`

Legend :

Indicates a change/fix made

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Syndication Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Syndication

Fixed

Vulnerable

Check conducted :

Attempt to view a syndicated link when mod_rssfeed is not published

Legend :

Indicates a change/fix made

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Item Check – Item Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Safe

Static Content

Safe

Contacts

Safe

Polls

No interface to control access, even though table field exists*

Check conducted :

View a direct link to the data when access set to `public`

Then attempt to repeat with the item access set to `registered` and then ‘special’

Legend :

* 1.1.0 now supports the ability to set access control
Indicates a change/fix made

Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Fixed

Vulnerable

Contacts

Safe

Safe*

Error**

Newsfeeds

Fixed

Vulnerable

Weblinks

Fixed

Vulnerable

Check conducted :

View a direct link to the data when access set to `public`

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no Contact Details listed’ – rather than an unauthorized access page
** Error message in affect disables access to this page closing the security hole
Indicates a change/fix made

Item Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Fixed

Vulnerable

Check conducted :

View a direct link to the data when access set to `public`

Then attempt to repeat with the section access set to `registered` and then ‘special’

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Category Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable*

Content

Blog View

Fixed

Vulnerable

Contacts

Fixed

Vulnerable

Newsfeeds

Fixed

Vulnerable

Weblinks

Fixed

Vulnerable

Check conducted :

View a direct link to the category when the category is set to `public`

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Category information shown, however category table not visible – in this regard this is not a true vulnerability
Indicates a change/fix made

Category Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Content

Blog View

Safe

Safe*

Check conducted :

View a direct link to the category when the category is set to `public`

Then attempt to repeat with the section access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made

Section Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Table View

Fixed

Vulnerable

Content

Blog View

Fixed

Safe*

Check conducted :

View a direct link to the category when the category is set to `public`

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

* Displays ‘There are no items to display’ – rather than an unauthorized access page
Indicates a change/fix made

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Section Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

Content

Blog View

Fixed

Vulnerable

Check conducted :

View a direct link to the Blog - Content Section when the category is set to `public`

Then attempt to repeat with the category access set to `registered` and then ‘special’

Legend :

Indicates a change/fix made

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

SECURITY AUDIT

STAGE 3

CONTENT ITEMS MODULE

STATE & ACCESS LEVEL SETTING

CHECK

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Item Check – Item State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

mod_mostread

Safe

mod_newsflash

Safe

Testing methodology :

View modules when` Content Items` `published`

Then view again with the items `unpublished`

Item Check – Category State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Vulnerable

mod_mostread

Safe

Vulnerable

mod_newsflash

Fixed

Vulnerable

Testing methodology :

View modules when `Content Items` Category `published`

Then view again with the items Category `unpublished`

Legend :

Indicates a change/fix made

Item Check – Section State setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

Vulnerable

mod_mostread

Safe

Vulnerable

mod_newsflash

Fixed

Vulnerable

Testing methodology :

View modules when `Content Items` Section `published`

Then view again with the items Section `unpublished`

Legend :

Indicates a change/fix made

Joomla!

SECURITY AUDIT

26 February 2006

Joomla! Security Audit - A2 Broken Access Control [26 Feb 06].doc

Item Check – Item Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Safe

mod_mostread

Safe

mod_newsflash

Safe

Testing methodology :

View modules when `Content Items` access set to `public`

Then view again with the items access set to `registered` and then ‘special’

Item Check – Category Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Fixed

Vulnerable

mod_mostread

Fixed

Vulnerable

mod_newsflash

Safe

Testing methodology :

View modules when `Content Items` Category access set to `public`

Then view again with the items Category access set to `registered` and then ‘special’

Legend :

Indicates a change/fix made

Item Check – Section Access setting

1.0.8 & 1.1.x

1.0.7

4.5.2.3

4.5.3h

mod_latestnews

Fixed

Vulnerable

mod_mostread

Fixed

Vulnerable

mod_newsflash

Fixed

Vulnerable

Testing methodology :

View modules when `Content Items` Section access set to `public`

Then view again with the items Section access set to `registered` and then ‘special’

Legend :

Indicates a change/fix made