Support

Admin Tools

#11760 AdminTools does not stop xss

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 30 March 2012 11:51 CDT

Thursday, 29 March 2012 08:47 CDT

user25168
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: 2.5.3
PHP version: 5.3.10
MySQL version: 5.2.X
Host: psmza.anjungilmu.net
Admin Tools version: 2.2.2

Description of my issue:
AdminTools does not stop this..

?forwardie6=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))

This site uses Warp FrameWork from Yootheme.

Using this code to, ?forwardie6='"--> will show Apache Frontpage.

How to fix this

Thursday, 29 March 2012 08:48 CDT

nicholas
This is an SQL injection attack, not an XSS attack. Have you enabled the SQLiShield feature in Configure WAF?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 March 2012 09:03 CDT

user25168
Nick, i was referring to the other one, 
?forwardie6='"--></style></script><script>netsparker(0x000007)</script>

Sorry seems that I forgot to use the code features.

the SQLiShield was enable, but still it was not stop.
How to stop this?

Thursday, 29 March 2012 09:10 CDT

nicholas
Regarding the XSS code, when I try it on my test servers I get a 403 page because I am using the .htaccess Maker which prevents that code from working.

Regarding the SQL injection, well, you can't have a 100% protection. We both know that this is an SQL injection because we are humans and we do fuzzy pattern matching. If you try to do that at the server level you will either have something dead slow or something which will throw a lot of false positives. It's just one of the edge cases which can't be caught.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 March 2012 09:22 CDT

user25168
I was suspecting this is due to yootheme Warp Framework.

About the XSS, what I do now is I just redirect the Apache Welcome Page to index.php, which is not found. So I think that is just a temporary solution.

But I have no Idea to prevent the SQLi.

Is there any suggestions to prevent this two?

Thursday, 29 March 2012 09:23 CDT

nicholas
Regarding the XSS, you can use the .htaccess Maker to generate a .htaccess. That's all there is to it.

Regarding the SQLi, apart from writing your own redirection rule to catch this particular case, I can't think of any other way to do it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 30 March 2012 08:59 CDT

user25168
Tq Nick, already solve the SQLi case by using this code..
RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC]
RewriteRule (.*) - [F]

Thanks

Friday, 30 March 2012 09:04 CDT

nicholas
Just a heads up. This is similar to the SQLi detection code I was using before writing Admin Tools 1.x (right now I'm using the third generation of my SQLi detection regex in Admin Tools). The major problem is that it throws too many false positives. For example, writing "I have to update this" matches this regex, because space is not a character from a-z. If you don't expect your users to input free text (e.g. use a forum) on your site, that RegEx will work. With free text, however, you're in for trouble.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 30 March 2012 09:09 CDT

user25168
For the time being, this site does not use any forum whatsoever. Until the webdesigner found another alternative for Yootheme warp framework, which use forwardie6, then I think it is ok for the moment.

But I will always looking for another alternative to stop the SQLi from my website.
Tq

Friday, 30 March 2012 11:51 CDT

nicholas
One other thing you could do is to turn off the IE6 warning message and create a RewriteRule to throw a 403 when the forwardie6 query parameter is present in the URL. IE6 is a tiny percentage of the web; I don't think many people will notice if you don't offer them a warning about the need to upgrade their browsers :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!