XXS vulnarability detected in Buildr template

rejada

Hello,

My hosting provider uses Patchman for security scanning. After upgrading to the latest Buildr template (1.3.9) and Zengrid framework (5.1.6) version, Patchman marked the file "./templates/buildr/zengrid/html/com_users/profile/default_core.php" as vulnerable to xss. Can you please fix this file?

Kind regards,

René

teitbite

rejada Hi. Do You mean XSS ? I looked into this file and there is no such issue in our installation package:

<fieldset id="users-profile-core">
	<legend>
		<?php echo JText::_('COM_USERS_PROFILE_CORE_LEGEND'); ?>
	</legend>
	<dl class="dl-horizontal">
		<dt>
			<?php echo JText::_('COM_USERS_PROFILE_NAME_LABEL'); ?>
		</dt>
		<dd>
			<?php echo $this->data->name; ?>
		</dd>
		<dt>
			<?php echo JText::_('COM_USERS_PROFILE_USERNAME_LABEL'); ?>
		</dt>
		<dd>
			<?php echo htmlspecialchars($this->data->username, ENT_COMPAT, 'UTF-8'); ?>
		</dd>
		<dt>
			<?php echo JText::_('COM_USERS_PROFILE_REGISTERED_DATE_LABEL'); ?>
		</dt>
		<dd>
			<?php echo JHtml::_('date', $this->data->registerDate); ?>
		</dd>
		<dt>
			<?php echo JText::_('COM_USERS_PROFILE_LAST_VISITED_DATE_LABEL'); ?>
		</dt>
		<?php if ($this->data->lastvisitDate != $this->db->getNullDate()) : ?>
			<dd>
				<?php echo JHtml::_('date', $this->data->lastvisitDate); ?>
			</dd>
		<?php else : ?>
			<dd>
				<?php echo JText::_('COM_USERS_PROFILE_NEVER_VISITED'); ?>
			</dd>
		<?php endif; ?>
	</dl>
</fieldset>

Please provide this file from Your server, maybe it got corrupted already.

rejada

teitbite

Thank you for your quick reply. Actually I meant XSS of course 😛. I've compared your file with the file on the server and two lines differ.

1)
your line:
<?php echo $this->data->name; ?>
line on the server:
<?php echo $this->escape($this->data->name); ?>

2)
your line:
<?php echo htmlspecialchars($this->data->username, ENT_COMPAT, 'UTF-8'); ?>
line on the server:
<?php echo $this->escape($this->data->username); ?>

I think two thinks could have happened: The files got corrupted as you stated, or Patchman patched the two lines by adding 'escape' to the first line and replace 'htmlspecialchars' with 'escape' on the second. The date stamp of the Patchman notifcation email is the same as the one from the file adjustment. Could the missing 'escape' be the XSS issue? I must confess, I'm not familiar with the subject, though a quick Google on the subject learned me that 'escape' is used to prevent SQL injection by replacing special characters. I could change the file on the server and wait if Patchman patches it again?

Kind regards,

René

paulus1031

Hi Rene,

Buildr has been available for download for just over two years and we've not had any previous reports of any security holes requiring patching

Are you able to ask the extension developers regarding the report?

Cheers
Paul

rejada

paulus1031

Thank you for your help. I will forward this tread to my hosting provider and ask for their opinion. I don't think the alterations will do any harm, though I do want to know who or what changed this file in a RX folder. To be continued...

Kind regards,
René

paulus1031

I have run an audit inside a demo site and it doesn't flag up that file as high risk

Cheers
Paul

paulus1031

Thanks Rene

rejada

paulus1031 sorry, I forgot to update you on the latest status. According to the help desk of my hosting provider the Patchman warning was about the Joomla kernel (Patchman Joomla patch CVE Number: CVE-2018-15880). I don't think thats correct, since the path to the patched file pointed to the Buildr template. As I mentioned earlier I don't think the modifications will do any harm and I still believe it was Patchman that altered the file.

I gave up :-) Thank you for your help anyhow!

aman204

rejada Kindly let us know if all queries to relative topic have been resolved so as to mark the thread as resolved or need further assistance on the same 🙂

rejada

aman204 the issue is resolved, nu further assistance is needed.