Joomla Templates Club 406,261 posts

[twincarb Friend twincarbJoin date: April 2014Posts: 1Downloads:27Uploads:0 Thanked: 1 times in 1 posts]

#982165

Hi,
I have just had a security scan of my server through patchman.co and it has highlighted an issue with the login module on JA_Social 2.

The mod_login component was found to have a XSS error which was corrected in J3.4.4 more details can be found at this link. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6939

It looks would appear the template needs two lines amending on the /html/mod_login/head.php
The two lines appear to be 12 & 18 when you look at the code in Joomla.
[code]

1. <? php
2. /**
3. • @package Joomla.Site
4. • @subpackage mod_login
5. *
6. • @copyright Copyright (C) 2005 – 2015 Open Source Matters, Inc. All rights reserved.
7. • @license GNU General Public License version 2 or later; see LICENSE.txt
8. */
10. defined(‘_JEXEC’) or die;
12. require_once JPATH_SITE . ‘/components/com_users/helpers/route.php’;
14. JHtml::_(‘behavior.keepalive’);
15. JHtml::_(‘bootstrap.tooltip’);
17. ?>
18. <form action="<?php echo JRoute::_(JUri::getInstance()->toString(), true, $params->get(‘usesecure’)); ?>" method="post" id="login-form" class="form-inline">
19. <?php if ($params->get(‘pretext’)) : ?>
20. <div class="pretext">
21. get(‘pretext’); ?>
22. [/code]

This code has been updated in the core Joomla package but will need updating in this file of your template. The code below is the section that has bee updated.
The link to this file on the Joomla Github is https://github.com/joomla/joomla-cms/blob/staging/modules/mod_login/tmpl/default.php please note the files use different names but the same purpose.

The rows to pay attention to below are Rows 10 & 14

1. <?php
2. /**
3. • @package Joomla.Site
4. • @subpackage mod_login
5. *
6. • @copyright Copyright (C) 2005 – 2016 Open Source Matters, Inc. All rights reserved.
7. • @license GNU General Public License version 2 or later; see LICENSE.txt
8. */
9. defined(‘_JEXEC’) or die;
10. JLoader::register(‘UsersHelperRoute’, JPATH_SITE . ‘/components/com_users/helpers/route.php’);
11. JHtml::_(‘behavior.keepalive’);
12. JHtml::_(‘bootstrap.tooltip’);
13. ?>
14. <form action="<?php echo JRoute::_(‘index.php’, true, $params->get(‘usesecure’)); ?>" method="post" 15. id="login-form" class="form-inline">
15. <?php if ($params->get(‘pretext’)) : ?>
16. <div class="pretext">
17. get(‘pretext’); ?>

How to update the file.

First of all ensure you have a backup of your site before making any changes.

Log into Joomla Administration navigate to Extensions – Templates

In the column labeled "Template" click on ja_social_ii

On the new page click on "html" folder link on the left side menu

Scroll down till you find "mod_login" select this folder

From the items that open up select "head.php"

This is the file that needs to be edited.

Alternatively hopefully the template will be updated by Joomlart in the very near future.

I hope this information enables you to update this template, if you have any questions please post them below and myself or a member from Joomlart will assist.

Regards,
Dave

1 user says Thank You to twincarb for this useful post

1. Saguaros

[Saguaros Moderator SaguarosJoin date: September 2014Posts: 31405Downloads:237Uploads:471 Thanks: 845 Thanked: 5346 times in 4964 posts]

#982246

Hi Dave,

Thank you for your report, its much appreciated.

The team will update and it will be released in upcoming version of this template.

Regards

[Author]

Posts