High level security vulnerability in Joomla 1.5.7

During the Joomla Security Bootcamp, in my presentation on cross site scripting, we discovered a serious vulnerability in Joomla 1.5.2 up to 1.5.7. This issue allows an attacker to inject malicious javascript into a Joomla site. Joomlatools reported this issue to the Joomla Security Strike Team on October 4. Later on the issue was also reported on the bug trackerbut, it was removed without explanation. So far no official patch was released, so we have decided to make our own. Normally the Joomla project acts very fast when issues are discovered. It is our hope that a new patched version will be released with this patch as soon as possible.

How to fix your Joomla installations

All Joomla 1.5.x installations are vulnerable.

• Update to Joomla 1.5.7 first
• Overwrite with the files from joomla_1.5.7_xssfix_changed_files.zip

>

Update: My patch was a bit too extreme: it filtered out perfectly legal html as well. The link above now points to the updated version.

Optional Security?

In Joomla 1.5.2, a new set of options was added to the article parameters (see screenshot). These options allow you to set less strict filtering rules for different user groups, allowing for example managers to insert iframes in articles. However, in a default Joomla installation, no user groups are selected by default, meaning that submitted articles are not filtered at all, leaving them open for cross scripting attacks. Proper testing could have avoided this issue. Especially when messing with security, one has to be extra careful. My patch completely removes this feature, for a number of reasons:

1. New features should never go in 1.5.x releases, they should go in 1.6. It’s called a development cycle, and although everybody agrees on its importance, some people still choose to ignore it and slip in new features in 1.5.x. If you want to solve particular problems for your or your customer’s sites, put it in a plugin, not in the core.
2. Security should never be optional. Having settings to lessen security measures is like a big red button labeled “Don’t touch”: it’s asking for trouble.
3. The new settings are way too complex. Developers can be expected to understand what filter groups, blacklists etc are all about, but most users can’t. Keep devspeak out of the user interface. Joomla is easy to use, and we should never loose this focus. We need less buttons, not more.

Update: If you do not wish to apply to the patch, you can get the same level of protection by changing some settings.

1. In the backend, go to Content -> Article Manager
2. Click the Parameters button
3. In the popup window, scroll down to the bottom
4. Select all the user groups, and select the option ‘Blacklist’ (screenshot)
5. Scroll back up and click save