Joomla CKForms Component Multiple Vulnerabilities

**keraM** · 30.06.2010 21:18

TITLE:
Joomla CKForms Component Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA40127

DESCRIPTION:
Secunia Research has discovered some vulnerabilities in the CKForms
component for Joomla, which can be exploited by malicious people to
conduct SQL injection attacks and compromise a vulnerable system.

1) Input passed via the "articleid" parameter to index.php (when
"option" is set to "com_ckforms", "view" is set to "ckforms", "task"
is set to "send", and "id" is set to a valid form id) is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that the "Save result" is enabled in
the form's configuration (disabled by default).

2) Input passed via the "sortd" parameter to index.php (when "option"
is set to "com_ckforms", "view" is set to "ckformsdata", "layout" is
set to "data", and "id" is set to "f") is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

3) The "CkformsModelCkforms::saveData()" method in models/ckforms.php
allows uploading of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file.

Successful exploitation requires the "fileupload" field to be
configured.

NOTE: The stored file name is based on the original file name and a
time stamp, which is predictable.

The vulnerabilities are confirmed in version 1.3.4. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Change the "Uploaded files path" setting to a directory outside of
the web root.

PROVIDED AND/OR DISCOVERED BY:
Secunia Research

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-81/
http://secunia.com/secunia_research/2010-82/

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

**redpulp** · 01.07.2010 11:03

da mein englisch nicht ausreicht und das üebersetzungsprogramm hier auch nicht hilfreich ist, kann bitte mal jemand kurz zusammenfassen, wo genau das problem liegt?

vielen dank im voraus

**Orpheus2510** · 01.07.2010 11:10

Kurz zusammengefaßt: Die Komponente CKForms (1.3.4 und früher) enthält eine gewichtige Sicherheitslücke, derowegen du diese Komponente nicht einsetzen solltest.

**redpulp** · 01.07.2010 11:12

danke dir. na da muss ich aber schnell noch gute alternative finden. prima und das im urlaub

**jdgf** · 01.07.2010 13:40

Danke für den Hinweis. Wieso steht dieser Hinweis aber noch nicht in dieser Liste?
http://docs.joomla.org/Vulnerable_Extensions_List

**Joe Sixpack** · 01.07.2010 14:42

Zitat von jdgf

Danke für den Hinweis. Wieso steht dieser Hinweis aber noch nicht in dieser Liste?
http://docs.joomla.org/Vulnerable_Extensions_List

im Link:

November 2009 Compiled Vulnerability Reports.

**adi** · 05.07.2010 15:13

Zitat von Orpheus2510

Kurz zusammengefaßt: Die Komponente CKForms (1.3.4 und früher) enthält eine gewichtige Sicherheitslücke, derowegen du diese Komponente nicht einsetzen solltest.

So wie ich das verstehe sollte die Version 1.3.4 gefixt sein.

Hatte jedenfalls nur mit der 1.3.3 probleme resp. hack Angriffe.

Pierre Revest

CKForms is a Joomla 1.5 native component to generate Forms without any development knowledge. CKForms can save data in
Database and export them to CSV format.
Fields can be validated as text, number, date and email. A File upload field is available. Forms created can be backup
and restored easily with one click. An HTML Editor is available and a Captcha code can be used to secure the forms. A plug-in and a module are available to display forms. The layout can be customized with CSS, custom text inserted between fields. Data saved can be displayed in the Front-end interface.

/** Bugs fixed **
- Fix the display of warning message when save data for forms created in previous releases
- Fix blank form et loose of data when captcha code is wrong
- Fix read only parameter for "Date" fields
- Add translation feature for text "registered at"
- Fix bad characters displayed in the CKForms modules
- Fix display of datepicker translation
- Fix display data saved for no option selected
- Fix duplicate process forget forms options and fields options
- Fix <br/> -> <br /> for e-mail clients
- Fix restore problem for backup before 1.3.4 release
- Fix display data (empty records)
- Fix multiple forms display in plug-in
- Fix notice display messages
- Important LFI security fix

/** New features **

- Change javascript Framework from JQuery to Mootools (native in Joomla)
- New error message - more detailled (if no custom message)
- Sort data saved in backend and frontend
- If text result empty and redirection empty, the page is redirected to the home page
- new backup/restore procedure
- Add filter to search in saved data
- Add connected user info in text field
- Plug-in to display data in an article
- Hidden field with the article ID with the Plug-In
- Display data record détail in Front-End page
- Choose the fields than can be saved
- Forward form data to the redirect URL

Gruss

Adi

**Orpheus2510** · 05.07.2010 15:36

Zitat von adi

So wie ich das verstehe sollte die Version 1.3.4 gefixt sein.

Es handelt sich um eine andere Lücke als die, die gefixt wurde.

The vulnerabilities are confirmed in version 1.3.4. Other versions
may also be affected.

**adi** · 05.07.2010 16:53

Hier Massnahmen die man vornehmen sollte, wenn man nicht auf CKForms verzichten möchte:

siehe hier: http://secunia.com/advisories/40127/

Lösung:
Edit the source code to ensure that input is properly sanitised. Change the "Uploaded files path" setting to a directory outside of the web root.

Gruss

Adi

**walter6363** · 06.07.2010 19:12

Zitat von adi

Hier Massnahmen die man vornehmen sollte, wenn man nicht auf CKForms verzichten möchte:

siehe hier: http://secunia.com/advisories/40127/

Lösung:
Edit the source code to ensure that input is properly sanitised. Change the "Uploaded files path" setting to a directory outside of the web root.

Gruss

Adi

...und wie oder wo ändert man den Quellcode damit die Daten in ein anderes Verzeichnis gespeichert werden?
Danke

Thema: Joomla CKForms Component Multiple Vulnerabilities

LinkBack

Themen-Optionen

Thema durchsuchen

Anzeige

Joomla CKForms Component Multiple Vulnerabilities

Erhielt Danksagungen von:

Erhielt Danksagungen von:

Lesezeichen

Lesezeichen

Berechtigungen