× Help Forum English

[ SOLVED since a long time... ;-) ] XSS Injection? (in version 1.1.4)

Start
Prev
1
Next
End

Windwalker
Topic Author
New Member

10 years 11 months ago - 10 years 11 months ago #3963 by Windwalker

[ SOLVED since a long time... ;-) ] XSS Injection? (in version 1.1.4) was created by Windwalker

Hi,

I just came across this security issue:
www.joomla-security.de/sicherheitsmeldun...-icagenda-1-1-4.html

Could you please state, whether this one is fixed in the current version?

Thanks in advance,
Sascha.

Last edit: 10 years 11 months ago by Lyr!C.

Please Log in or Create an account to join the conversation.

giusebos
Moderator

10 years 11 months ago #3965 by giusebos

Replied by giusebos on topic XSS Injection?

update to the latest version!

HAI BISOGNO DI ASSISTENZA?
leggi qui

Guarda tutti i video tutorial di iCagenda
Watch all video tutorials iCagenda
Regardez toutes les vidéos tutoriels iCagenda
Ver todos los videos tutoriales iCagenda

guarda qui

Please Log in or Create an account to join the conversation.

Lyr!C
Administrator
Lead Developer

10 years 11 months ago #3967 by Lyr!C

Replied by Lyr!C on topic XSS Injection?

Windwalker wrote: Hi,

I just came across this security issue:
www.joomla-security.de/sicherheitsmeldun...-icagenda-1-1-4.html

Could you please state, whether this one is fixed in the current version?

Thanks in advance,
Sascha.

Yes, it's a very old issue !

When i've begin developpement of iCagenda, i first didn't know every way of protecting, but i have work very hard to know how an attack could be done (hack learning) and how to protect it.

iCagenda is safe since 1.2.6 (Security again SQL injection and XSS, and other securities ;-)

)
You can read the update log, in your iCagenda control panel.

As there's a free version of iCagenda, Young Hackers are testing all free software to try their first "exploits", but not commercial one (for example, some events management extensions, which are commercial, on the JED listing, have many security vulenrabilities. I have contacter developper of one of this extension (popular), but he seems not to know all about security issue...)

The problem with this hackers : they don't mention on their website, when a vulnerability is fixed. :huh:

And, with Google search, you can still see the pages referenced...

So, for example, a useful test about SQL injection : change the id or itemid number by text, in url, and if you see for example, error messages, so you have : SQL injection possibilities, and Full Path disclosure vulnerabilities. (many commercial extensions have this issue.)
In iCagenda, it return to the list, with no display of events. or to a "no-event in the calendar" page. ;-)

(because id and itemid are protected and filtered)

To test a form again XSS vulnerabilities, just use a tool, as security compass XSS me Sidebar (in firefox)

It can pass 308 XSS attacks (virtualy), and in iCagenda, 0 attacks succeed ! :cheer:

If you test on a vulnerable form, it can add many entries in the database. I've tested this tool with registration form of iCagenda, but by removing the protection in my code, this tool is adding hundreds of new registered people! With the protection, no problem ;-)

Hope this explanation can be useful to all !

Latest version : iCagenda 3.9.3
We recommend every user to keep iCagenda updated.
Don't forget to have your Joomla!™ up-to-date!

Do you like iCagenda?
I would appreciate if you could take 5 minutes to post a review on JED (Joomla Extensions Directory) .