Support ForumNeed help customizing our product? Post your question and our support specialists will help you

Hello there! Welcome to Youjoomla Support Forums

We are Web Development Company specializing in Joomla Templates , Joomla Extensions and WordPress Themes development. You are not able to see some forum threads due to your memberhip level. To unlock all forums and special customer support please take few moments to signup. If you are just searching for free joomla templates , or free joomla extension support simply head to our Free Joomla Support forums and open a new thread. Our moderators will help you as soon as possible. To spead up the response time please take few seconds and go over forum rules

Have fun!

Go Back   Youjoomla Support Forums > Public Joomla forums > Free Joomla Templates > YouGrids

YouGrids Free joomla template powered by YjSimpleGrid Framework

Reply
Old 07-04-2011, 03:34 AM   #1 (permalink)
octavian's Avatar
Unlicensed
 
Join Date: Jul 2011
Posts: 4
Default XSS handling extended protection (YouGrids 1.5 & 1.6)

Hello,

I have sent an email a month ago but I have not received any reply since.

We have recently come across a few customers using your templates who are experiencing difficulties when using our product, RSForm! Pro. The XSS protection found in:
yougrids/yjsgcore/yjsg_core.php
doesn't take into account the fact that $_POST/$_GET are multi-dimensional arrays. preg_replace works for arrays as long as they are not multi-dimensional (more than one level).

Below is a proof of concept:

PHP Code:
<?php
$array 
= array(
    
'level_1' => array(
        
'level_2' => 'test'
    
)
);

print_r($array);

$new_array preg_replace('#t#''x'$array);

print_r($new_array);
Will output:
Code:
Array
(
    [level_1] => Array
        (
            [level_2] => test
        )

)
Array
(
    [level_1] => Array
)
RSForm! Pro stores submitted data in $_POST['form'] and the XSS protection you provide always empties $_POST['form']. I think the same should be valid for regular checkboxes, I'm not sure, I haven't tested.

The following lines should be edited:

PHP Code:
$_POST preg_replace("|([^\w\s\'])|i",'',$_POST);
$_GET preg_replace("|([^\w\s\'])|i",'',$_GET); 
octavian is offline   Reply With Quote
Old 07-04-2011, 06:11 AM   #2 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Default

you can advise your customers to comment the lines out if they find an issue with them, we had our security team test the lines and yes empty the submitted data after send due to XSS issue , even if the preg is used on multi levels it would empty the data from your forms out , but again if your customers have issue with them have them comment the lines out on their own responsibility
neo is offline   Reply With Quote
Old 07-04-2011, 07:20 AM   #3 (permalink)
octavian's Avatar
Unlicensed
 
Join Date: Jul 2011
Posts: 4
Default

Hello,

I think I have given a perfect example above that there's a bug in your templates that you should solve. It has nothing to do with the XSS protection - it has to do with the way you use preg_replace. It empties multi-level arrays just because preg_replace does not work with multi-level arrays. This is regardless if the regex matches anything or not.
octavian is offline   Reply With Quote
Old 07-04-2011, 10:26 AM   #4 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Default

yes understand , that was introduced as precaution measure for basic level attack , not on template but on joomla , but i see what you mean by multiple levels , the issue is with many 3rd party extension, if we use the full measure the template users might not be able to use some of the extensions , il test the new code and advise of possible change. thnx for testing and sorry if i came on strong.
neo is offline   Reply With Quote
Old 07-05-2011, 04:41 AM   #5 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Lightbulb

OK we have a new addition to the code which will now cover multi-dimensional arrays

First upload yjsg_validate.php file ( extract the attached zip ) to

templates/template_name/yjsgcore/ folder


than in templates/template_name/yjsgcore/yjsg_core.php

replace lines
Code:
Code:
$_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
$_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);

with
Code:
require( TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data('post');
yjsg_validate_data('get');




@octavian, if you care to test and see if there is any issues with your extensions that would be appreciated. Once again thnx for the info and your time
neo is offline   Reply With Quote
Old 07-05-2011, 07:29 AM   #6 (permalink)
octavian's Avatar
Unlicensed
 
Join Date: Jul 2011
Posts: 4
Default

Hello,

I've made some tests and the function produced some inconsistencies when dealing with multi-level arrays. I've provided below a function that should be simple enough to not create any issues:
PHP Code:
function yjsg_validate_data (&$array)
{
    if (
is_array($array))
        foreach (
$array as $key => $value)
            
yjsg_validate_data($array[$key]);
    else
        
$array preg_replace("|([^\w\s\'])|i",'',$array);

You will have to edit templates/template_name/yjsgcore/yjsg_core.php and use:
PHP Code:
require_once(TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data($_POST);
yjsg_validate_data($_GET); 
PS: The code you've provided uses eval() on user input, with some intelligent request crafting a malicious user could have compromised the security of the website.

Last edited by octavian; 07-05-2011 at 08:46 AM..
octavian is offline   Reply With Quote
Old 07-05-2011, 10:05 AM   #7 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Default

thank you much , will do some more testing . I removed my attachment for time being until we get this squared away.
neo is offline   Reply With Quote
Old 07-06-2011, 02:31 AM   #8 (permalink)
octavian's Avatar
Unlicensed
 
Join Date: Jul 2011
Posts: 4
Default

Glad to be of help! Anything for the good of our common customers
Have a good day!
octavian is offline   Reply With Quote
Old 07-13-2011, 06:55 AM   #9 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Default

Just to inform you , the addon code was tested and is going in to core. I'l add small thank you in to the file notes.
neo is offline   Reply With Quote
Old 07-13-2011, 07:05 AM   #10 (permalink)
neo
neo's Avatar
Administrator
 
Join Date: Mar 2005
Location: Clearwater, Florida
Posts: 12,405
Default

OK here is full addon


for extended XSS protection please add

file name yjsg_validate.php in to templates/template_name/yjsgcore folder (download and unzip attachment )

open file name templates/template_name/yjsgcore/yjsg_core.php

and replace lines

PHP Code:
$_GET preg_replace("|([^\w\s\'])|i",'',$_GET);
$_POST preg_replace("|([^\w\s\'])|i",'',$_POST); 
with


PHP Code:
require_once(TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data($_POST);
yjsg_validate_data($_GET); 
Attached Files
File Type: zip Validate_UNZIP.zip (703 Bytes, 11 views)
neo is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -4. The time now is 06:10 AM.
All times are GMT -4. The time now is 06:10 AM. Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO

Members Login

Lost password?

Not member?

We invite you to download all our Joomla! products.

Did you know that for one low fee you can get all our Joomla! templates, demos and extensions?!

Close