• Hello Fabrik Community

    Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.

    Exciting times to be sure.

    The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section

    We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..

    Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.

Two security issues

Hi,

My site is under security audit to get the security certification. After audit they gave me two security issues to look at.

1. Stored Cross Site Scripting: The application must implement server side validation for all user-entered inputs. Only expected values should be accepted. Script tags should be rejected. All user inputs should be sanitized.

2. Malicious File Upload

I have added the <script> at filter tags in Joomla global configuration text filters. And also though I have clearly stated for all file upload elements to only use .jpg,.jpeg,.png extensions, I can still upload .php extension files.

How can we rectify these two issues?

Please help.

Regards
 
I can't replicate.

Are you allowed to upload php files in Joomla's media manager?

Which exact Joomla and Fabrik version?
 
Joomla version: 3.7.2
Fabrik: 3.6
Php version: 5.6.30

1. With Media manager I am can see file uploading, but actually can't find file in the image folder (where it is uploading)
I have tried to upload kickstart.php

2. With fabrik file upload element ( I am using amazon s3 bucket), you can see link for the file uploaded https://s3.amazonaws.com/scrb-bihar...003865&Signature=Yt/MopqbUhh8p5Y+YRX2RAmBbFw=

3. Also, how can I make sure that each form element check for certain words like <script>, <body> etc.
 
Yeah I understand. Still file upload should not allow php files or other exe files to upload anyway (if its not mentioned in allowed file types)

Same way input should not allow <script> and other such tags/words.
 
Absolutely. But this is open source software. The only way issues get fixed is if people contribute to funding development, through subscriptions. If you have mission critical requirements, and need work done on Fabrik to meet them, it would be nice if you could contribute.

In this case, I've fixed the upload issue, as it is indeed a nasty one. It was due to a recent change in the way J! handles the $input->files->get(), now requiring a specific 'raw' filter, which we'd fixed in one place, but not in another. Without the 'raw' it was returning an empty array, and sneaking past some of our validation logic. So thank you for reporting it. It is fixed in github as of this commit:

https://github.com/Fabrik/fabrik/commit/25139f3ddaa82a0209ef1444b702c5a684302785

... and will be rolled into the 3.6.1 release we have planned for this week.

If you'd like to take out a sub, I'll have a look at the other issue.

-- hugh
 
We are in need of some funding.
More details.

Thank you.

Members online

Back
Top