[3+] com_joomlaupdate allows upload of any filetype

[PhilETaylor]

Steps to reproduce the issue

In Joomla 3+ go to com_joomlaupdate ->Upload & Update tab

Select a PNG file, or XML file or any-other-file-type

Expected result

Validation error - its not a zip file.

Actual result

The file is uploaded to the tmp path, renamed and prefixed with 'ju

The file extension and mime type is not validated first.

Then you get a login screen.

Additional comments

Tested Joomla 3.9.19 and Joomla 4 beta 1
Cant think of anyway to exploit this so posting publicly.

[richard67]

How far shall the validation go? Shall it just check for the extension, e.g. ".zip"? I ask because one could be so funny and rename the PNG file or whatever he or she tries to upload to a ZIP file, i.e. with chagning the extension.

[PhilETaylor]

I dont have answers only problems :)

[richard67]

And I have an answer (42) and have forgotten the problem for which it was ;-)

[brianteeman]

this should be reported to @joomla/security

[PhilETaylor]

It requires super admin login before the upload form is shown - historically the JSST are not interested if a super admin can hack themselves... but bat signal for @SniperSister anyway...

[SniperSister]

I agree with @PhilETaylor that I can hardly see an attack vector here, however, some proper error handling (at least validating the file type) makes sense to provide better feedback for users.

[richard67]

@SniperSister What do you mean with file type? The file name extension? You know it’s not the same. I think we only can check for the extension.

[richard67]

Does the extensions installer have the same problem? I can’t check that now because I’m on the road. Maybe someone else can do that faster?

[mbabker]

File type detection should NEVER rely on the given file name. You always analyze the file data.

[richard67]

Right ... and I found out meanwhile that it can be done.

If someone wants to work on it, let us know here so we are not working in parallel.

I'n not sure if I can do something, but if so, then not before weekend.

[richard67]

@mbabker I assume you mean with "analyze the file data" a MIME type check with functions like "mime_content_type" or "finfo_open" and "finfo_file", is that right? And do you really think it is necessary for the issue here? As far as I understand it, it is not a security issue here because it needs a super admin anyway to be logged in to backend. I understand it more as a check being needed to prevent uploading of an accidently selected wrong file.

@PhilETaylor Is my understanding right that it's not a security but an UX issue?

@SniperSister @zero-24 What's your opinion? Does it need the mime type check, too, or is a check of the file name before the upload in JS sufficient? I'd implement the check at least in J4 in the same way as I did for the maximum upload size with PR #27570 , i.e. as soon as the user selects a wrong file, a warning box is shown, and when he or she tries to upload it anyway, an alert is shown, and upload is rejected.

[zero-24]

I personally (not speaking in any official name of Production, maintainers or JSST) would implement an mine type check given that IIRC only zip files can be used anyway at this place. What we might have to check is whether there can be issues with mine type detection on different hosting configurations.

[richard67]

I personally (not speaking in any official name of Production, maintainers or JSST) would implement an mine type check given that IIRC only zip files can be used anyway at this place.

Your personal opinion is welcome.

What we might have to check is whether there can be issues with mine type detection on different hosting configurations.

In the MediaHelper we use for things which are not pictures either "mime_content_type" or "finfo_open" and "finfo_file", depending on what's available, and we check it in this order. "mime_content_type" should be available at PHP version >= 4.3, including 7.x, and doesn't require an extra module, while the "finfo_..." functions are available at PHP versions >= 5.3, including 7.x, and they require PECL fileinfo. The "mime_content_type" is not marked as deprecated in PHP docs, but I did read something somwehere that this might be soon the case. So I am almost but not 100% sure it should work everywhere. But if it fails due to missing functions, and we decide to refuse the upload in that case, then it would block people behind firewalls who can't use the Live Update from updating forever.

[zero-24]

I personally (not speaking in any official name of Production, maintainers or JSST) would implement an mine type check given that IIRC only zip files can be used anyway at this place.

Your personal opinion is welcome.

Sure just wanted to make this clear as at some places my opinions has been interpreted as opinion of any of my positions or teams that i'm involved in ;-)

What we might have to check is whether there can be issues with mine type detection on different hosting configurations.

In the MediaHelper we use for things which are not pictures either "mime_content_type" or "finfo_open" and "finfo_file", depending on what's available, and we check it in this order. "mime_content_type" should be available at PHP version >= 4.3, including 7.x, and doesn't require an extra module, while the "finfo_..." functions are available at PHP versions >= 5.3, including 7.x, and they require PECL fileinfo. The "mime_content_type" is not marked as deprecated in PHP docs, but I did read something somwehere that this might be soon the case. So I am almost but not 100% sure it should work everywhere. But if it fails due to missing functions, and we decide to refuse the upload in that case, then it would block people behind firewalls who can't use the Live Update from updating forever.

That is exactly the case i mean. In some setups you might also have the issue that the mine type is not correctly interpreted. So we might add a switch to disable the mime type checking?

As this is about com_joomlaupdate i would suggest to backport that to 3.10 too.