Summary


There is a security issue in all versions of Joomla related to unauthorized file uploads.
Although 1.5. is end of life you can fix by replacing the files impacted with those in the attached zip.
Note: Please use the UploadFix15v3.zip file. (as the older Files cannot be removed from joomlacode.).
Note also this is NOT an installable zip file, you have to extract the zip file and manually upload the enclosed files into place.
Opened On:
31 Jul 2013, 19:43 by Elin Waring
Status:
Open

Filed Under

  • Administrator

Responses

Posted on 1 Aug 2013, 9:33 by Phil Taylor
Just wanted to say thank you for this - Thank You!
Posted on 1 Aug 2013, 9:36 by Phil Taylor
Note that /libraries/joomla/filesystem/file.php in this zip file is not changed from the Joomla 1.5.26 original?
Posted on 1 Aug 2013, 9:50 by Phil Taylor
The patch is MISSING this part in file.php

// Remove any trailing dots, as those aren't ever valid file names.
$file = rtrim($file, '.');

This needs adding in the makeSafe() function.
Posted on 1 Aug 2013, 9:52 by Phil Taylor
I propose this patch with the change to file.php that is missing.
Posted on 1 Aug 2013, 10:00 by Phil Taylor
To be clear, my attachment is named "PatchWithFileChanges.zip" and is the same as "replacementfiles15.zip" but with the additional change in file.php that I believe needs to be there. :-)
Posted on 1 Aug 2013, 10:02 by Hermann H.
Thanks Phil!
Posted on 1 Aug 2013, 10:11 by Don Gilbert
Thanks Phil - good catch.
Posted on 1 Aug 2013, 13:08 by Elin Waring
THanks for the catch.

Posted on 1 Aug 2013, 15:37 by Nicolas Ogier
Thanks for the catch Phil !
Posted on 1 Aug 2013, 16:01 by Beat
Thanks Phil,
But your patch file has a __MACOS folder. You probably do not want that ;-)
Posted on 1 Aug 2013, 16:02 by Beat
and .DS_Store too
Posted on 1 Aug 2013, 16:31 by Elin Waring
This is just a comedy right?

Ok new hopefully correct zip uploaded.
The good news is it is a belt+suspenders patch so either change will solve the issue but both together are better.

Please note removing files will crash Joomlacode. Please do not delete the incorrect files.
Posted on 1 Aug 2013, 16:35 by Jonny Roger
Guys, thank you very much for the tip-off for Joomla 1.5.

There seems, though, to be at least one more problem with the "media.php" file: the "defined('_JEXEC') or die('Restricted access')" execution protection is missing.

Another issue: There seems to be a parallel branch of that file in http://joomlacode.org/gf/project/joomla/scmsvn/?action=browse&path=%2Fdevelopment%2Freleases%2F1.5%2Fcomponents%2Fcom_media%2Fhelpers%2Fmedia.php&r1=15177&view=log

That branch does have the above execution protection, but it also has plenty of other differences to the file provided with the Joomla 1.5 release. It seems to be an equally old parallel branch of the released file.

It would be great, if someone with Joomla insight could have a look at the differences and merge the two branches into something even more secure.

Side remark: I, for some unknown to me reason, have the above parallel branch in my Joomla installation. The only difference of my file to the above SVN version is the presence of the following check-out date it the file header: "@version $Id: media.php 15177 2010-03-04 21:54:31Z ian $".
My file has the server timestamp of my Joomla installation, but I have no idea how it got there - I kept my original installation archive (the German version 1.5.22, Nov. 2010), all my updates, but none of them has the above parallel branch. (So: a plugin, my host or a hack - I don't know.)
So, after noticing that I had a different file on my installation, I went on a search for it and found the above parallel branch on Joomlacode SVN.
Posted on 1 Aug 2013, 16:56 by Phil Taylor
Sorry for the .DS_Store, this is cause my mac finder created the zip file - and macs hate zips :-)

To be clear the file at the moment to use below is UploadFix15v3.zip
Posted on 1 Aug 2013, 17:05 by Phil Taylor
@Jonny - Joomla 1.5.26 is end of life. No major changes should be made. I'm certainly not going to make changes like the ones you propose. The only difference from the Joomla 1.5.26 Stable Zip is for this security fix, the changes can be viewed as a clear diff here;

https://github.com/PhilETaylor/Joomla1.5.999/commit/0f795894aa10e78a430a83591ed4a1b3f1df677c#administrator/components/com_media/helpers/media.php

I have no idea why the file in the joomlacode svn repo you quote is different to the one in the Joomla_1.5.26-Stable-Full_Package.zip file

To be clear for those reading the comments, at this moment in time, please apply the two file patch from the zip file below called UploadFix15v3.zip
Posted on 1 Aug 2013, 17:08 by Phil Taylor
@Jonny A missing _JEXEC check in the media.php is a belt and braces, joomla standard, but in this specific file it adds no additional security as all that is contained is a Class and no other code that can be executed.

To be clear for those reading the comments, at this moment in time, please
apply the two file patch from the zip file below called UploadFix15v3.zip
Posted on 1 Aug 2013, 17:18 by Phil Taylor
To clarify further (based on the emails I'm getting) these are NOT installable zip files, do not try to install through Joomla's extension installer! You need to download the zip file, extract the two files and manually FTP these into position following the directory structure in the Zip file, and overwrite the two existing files on your Joomla 1.5.26 site.
Posted on 1 Aug 2013, 17:41 by Jonny Roger
@Phil: Thanks for your feedback. The "media.php" in Joomla_1.5.26-Stable-Full_Package.zip seems to be more modern (at least based on the additional checks it does and usage of language-specific errors) than the SVN repo file quoted by me. I'm going to take your file over and will have to search for other deviations on my installation from the Joomla_1.5.26 release.
Posted on 1 Aug 2013, 17:43 by Ben Sandberg
Hey folks.
I think the new checks need to be more strict; === rather than ==.

If $format = null, it would evaluate to false in the first test, as well as the second -- not very useful.

Also, someone has raised the suggestion that what if the file extension were '.0' -- that would evaluate to false in the second check as well.

What if we used;

if (empty($format) || $format === false || (!in_array($format, $allowable) && !in_array($format,$ignored)))
Posted on 1 Aug 2013, 17:46 by Phil Taylor
@Ben - remember Joomla 1.5.26 is a DEAD PROJECT, the changes here are back ported from Joomla 3.1.5 - if you wish to see your changes then you need to be contributing to the main Joomla-cms project :-)

Repeating myself here for clarity for others reading the comments :-) Nothing Personal, I know we have spoken at github already.

The changes made here are the same as the changes in Joomla 3.1.5 release as per

https://github.com/joomla/joomla-cms/commit/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2#administrator/components/com_media/helpers/media.php

Its not for us (or the 1.5.999 project) to second guess these changes, if you feel these changes are wrong then please raise a Joomlacode.org tracker item, and propose a Pull Request to the https://github.com/joomla/joomla-cms repo for your suggestions to be made to the current Joomla 3.1.x series. If we see them made there then we will update this repo.
Posted on 1 Aug 2013, 17:48 by Ben Sandberg
What's the tracker item for this original issue, then?
Rather than create a new item, it would seem prudent to continue that discussion.
Posted on 1 Aug 2013, 17:51 by Phil Taylor
I don't believe there was one, or if there was I never saw it. The security issue might have been handled by the strike team (in their secret courtrooms and chatrooms - I assume).
Posted on 1 Aug 2013, 21:00 by Michael Babker
Ben - Security items are discussed in a closed group for what I hope would be obvious reasons. As the code is now public, any improvements would best be handled through our regular bug tracking processes.
Posted on 1 Aug 2013, 21:24 by Elin Waring
Although not urgent I think those are good suggestions in general and we can update the files here.

Ben if you want to send an email to security@joomla.org that would be good, I'd rather not publicly give people the idea.

What happens is the two changes basically solve the problem in two ways. RIght now an uploaded file with a trailing . will never get to the second test.
Posted on 1 Aug 2013, 21:38 by Elin Waring
I should mention that users must be authenticated to use this exploit.

You should also absolutely be removing the flash uploader from 1.5 just as it has been removed from 2.5 and 3. I'm sorry I didn't think to post that earlier but just looking at the codebase this minute I remembered it was there.

Also I should also say that my brief test indicates that you must be an authenticated author or above to upload the file. In this sense 1.5 has an advantage since one of the scary things we saw in the last 48 hours were users who had acl settings for com_media and the public group set to allow uploads. So I think we can tackle some of these other possibilities.



Posted on 1 Aug 2013, 22:13 by Elin Waring
On the .0 issue, getExt() returns the string '0' and that ends up returning false on canUpload() unless you put it on the allowed list.

About the null issue, it doesn't happen in the normal com_media course of things, with a '.' at the end an empty string "" is returned by getExt() which ended up being the cause of the problem since that passed the $ignored filter. So in terms of MediaHelper we already check for an empty file name before we do the other stuff.





Posted on 2 Aug 2013, 1:33 by Jonny Roger
Thanks everyone for all the information.

A few questions:

1) There is a similar file in /components/com_media/helpers (i.e. same directory, but outside of the /administrator; that is actually the "parallel branch" file I mistakenly referred to earlier - I feel so dumb, sorry). That file seems to do even fewer checks than the one in /administrator which is affected by this issue. I assume that it is used in the front-end. Does it also need a similar fix (line 61)?

2) Referring to Elin's post above: How does one remove the flash uploader from 1.5? (So far I just have had it disabled in the configuration in the back-end.)
Posted on 2 Aug 2013, 4:11 by Frits Jongbloets
Just wanted to say: thanks for sharing this fix with the community.

Kind regards, Frits
Posted on 2 Aug 2013, 4:43 by Dieter Gröbel
Thanks to all those, who still care about the versions no longer supported!
Posted on 2 Aug 2013, 6:58 by Maik Kaune
Thank you very much!!! for finding and fixing the security issue. Warm regards from germany (32+)
Posted on 2 Aug 2013, 19:06 by Jonny Roger
Addon to my question no. 1 of 2013-08-01 22:33:29:
There seems to be a twisted inclusion on Joomla 1.5: It looks like the front-end \components\com_media\media.php "requires" the MediaHelper (line 29) and Controller (line 42) of the back-end, while the back-end "requires" the those of the front-end.

It looks like it has been "untwisted" on Joomla 3.1 (https://github.com/joomla/joomla-cms/blob/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2/components/com_media/media.php) - the front-end logic has been removed and hands over to the back-end one. And similarly on 2.5 (http://joomlacode.org/gf/project/joomla/scmsvn/?action=browse&path=%2Fdevelopment%2Ftrunk%2Fcomponents%2Fcom_media%2Fmedia.php&view=markup).

So, this seems to concern Joomla 1.5 alone, and if in need of update (e.g. by adding the fix described in this tracker item), would need to be done here, not on the supported versions.

I'm not a web developer. What's your opinion, folks?
Posted on 2 Aug 2013, 21:15 by Alex Sudakar
Many thanks to Elin and Phil for this. I still have 1.5 sites so your efforts to be so helpful are greatly appreciated!
Posted on 23 Aug 2013, 0:13 by Elin Waring

About the flash uploader, you can just remove the file and change the the parameter options to not try to ask for it. https://github.com/PhilETaylor/Joomla1.5.999/blob/master/administrator/components/com_media/config.xml#L27https://github.com/PhilETaylor/Joomla1.5.999/blob/master/media/system/swf/uploader.swf

 


 
Posted on 27 Aug 2013, 12:54 by Letícia Galdino

What process should I follow to make the change? I just follow the same directory of the same I downloaded the file and change?

 
Posted on 27 Aug 2013, 12:55 by Letícia Galdino

What process should I follow to make the change? I just follow the same directory of the same I downloaded the file and change?

 
Posted on 3 Sep 2013, 17:13 by Elin Waring

Please just use your file manager or ftp to replace the existing files with the replacements. You'll see where they go when you unzip.
Posted on 10 Sep 2013, 5:55 by Héctor González

I was affected by this vulnerability in one J!1.5 website. Thanks for this patch.