Attackers Can Hijack Joomla Sites Via User-Agent Strings

An anonymous reader writes: Joomla just issued a emergency security patch after Sucuri observed a large number of attacks on Joomla sites using malicious user-agent strings. Attackers were adding malicious code to custom-made user-agent strings, which were not sanitized and stored in the database. These allowed attackers to trigger remote code on the site and grant them a backdoor into targeted websites. Even if Joomla doesn't care about older versions, the bug was so critical that it issued security patches even for EOL versions going back to 1.5.x.

I've been wondering which product was the target..

[QuietLagoon]

I've been seeing really strange agent strings for a few weeks in my web server log files. I was wondering what the target was.

It's 2015 already, sanitize your damn inputs!

It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

Re:It's 2015 already, sanitize your damn inputs!

You have to put it in a framework or an API, otherwise modern programmers can't understand it.

Re:It's 2015 already, sanitize your damn inputs!

Why just services facing the internet?

Even services facing just the LAN/DMZ should sanitize their inputs. If an attacker manages to compromise one host, don't make it easy to compromise the rest.

Re:It's 2015 already, sanitize your damn inputs!

[hey!]

Identify bad input; recover if possible.

-- The Elements of Programming Style by B. W. Kernighan and P. J. Plauger, McGraw-Hill, New York, 1974.

See? Smart programmers knew bad or malicious input forty years ago. Trust me, even back in the days of FORTRAN card decks people tried to figure out ways to make the computer do things that would annoy or inconvenience the sysadmins.

In this case the exploit was actually quite tricksy. Normally you don't think of the user agent as user input; it's supposed to come from the browser. But ultimately it's still input coming the outside, and if you do anything with it you have to distrust it. This is how exploits work; they utilize assumptions that seem safe to a programmer, but that can be violated. I'll bet there's a lot of systems that are vulnerable to SQL injection this way that thoroughly sanitize input that's supposed to be from users.

Re:It's 2015 already, sanitize your damn inputs!

Identify bad input; recover if possible.

-- The Elements of Programming Style by B. W. Kernighan and P. J. Plauger, McGraw-Hill, New York, 1974.

See? Smart programmers knew bad or malicious input forty years ago. Trust me, even back in the days of FORTRAN card decks people tried to figure out ways to make the computer do things that would annoy or inconvenience the sysadmins.

In this case the exploit was actually quite tricksy. Normally you don't think of the user agent as user input; it's supposed to come from the browser. But ultimately it's still input coming the outside, and if you do anything with it you have to distrust it. This is how exploits work; they utilize assumptions that seem safe to a programmer, but that can be violated. I'll bet there's a lot of systems that are vulnerable to SQL injection this way that thoroughly sanitize input that's supposed to be from users.

If they would actually use parameterized statements, SQL injection wouldn't be a problem.

Re:It's 2015 already, sanitize your damn inputs!

[hey!]

I know. Plus in most cases parameterized statements are far more efficient because they only need to be parsed once.

But all it takes is a moment of laziness when you're dealing with input you assume to be safe to get into trouble. Since it's a lazy habit, there are static code analzyzers that can catch most instances of SQL Injection; I wouldn't be surprised if that's how the attackers figured this out.

Re:It's 2015 already, sanitize your damn inputs!

Joomla uses MySQL and PHP. Most PHP code has so many security flaws that the matter was brought up in a meta discussion on stackoverflow. Sadly the discussion ebbed of with the genius resolution of adding a comment to any flawed answer and to this day any PHP user searching stackoverflow for answers will find highly flawed suggestions upvoted with any comment pointing out its problems long deleted in any of the cleanups performed from time to time ( a problem brought up on meta and outright ignored, since anything else would have required a change to the sites etiquette) .

Even without stackoverflow advertising flawed code PHP itself is riddled with flawed APIs, the existance of mysql_escape_string and mysql_real_escape_string has been a running gag for a long time, that both continue to exist in the improved mysqli API really took the humour out of it. Add on top of the mysql insanity that several APIs exist that simply overwrite local variables with unchecked user input or the near impossibility to hide version information from an attacker ( so you checked the 10 settings controlling error output, did you check the other twenty special cases?). Securing PHP is like fighting a hydra, the more heads you cut of the more grow in its place.

Re:It's 2015 already, sanitize your damn inputs!

[Zero__Kelvin]

"... every parameter from an service facing the internet... "

For all your fervor toward solid security practices you still miss it completely. This issue has absolutely nothing to do with the internet. The exact same security principles apply to, and should be applied in systems, without regard to internet connectivity. There are many solid reasons why this is true, but the simplest and easiest to understand is that somebody may, at a subsequent date, connect the system to the internet.

Re:It's 2015 already, sanitize your damn inputs!

[Zero__Kelvin]

That makes perfect sense! Who writes frameworks and APIs again?

Re:It's 2015 already, sanitize your damn inputs!

[Zero__Kelvin]

Also, stop assuming all damage is intentional and caused by hackers. Never underestimate the database mangling capability of the well meaning fool!

Re:It's 2015 already, sanitize your damn inputs!

My question is... who the fuck stores the user agent string in a database?

That shit belongs in the HTTP log files. Do a better job of designing your application, FFS Joomla!

Re:It's 2015 already, sanitize your damn inputs!

[ls671]

It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

It wouldn't help in this case. The language used for joomla doesn't require the programmer to use a compiler.

Re:It's 2015 already, sanitize your damn inputs!

[ls671]

Good one, I have observed a tendency lately where newbies seem to thing that API are delivered by the baby stork. They even teach the youngsters that programming techniques used in API (for the internal work of the API) are bad and have them coming up with resource hog code that is supposed to be somehow better nevertheless.

Then, there are the APIs built on top of other APIs that achieve sensibly the same goal.

Re:It's 2015 already, sanitize your damn inputs!

mysql_real_escape_string is not the "real" escape string function. It's only named _real_ due to it requiring a connection with a running (i.e real) server in order to do some quering. The mysql_escape_string will escape your string just as fine as the _real_version. Also MySQL have parametrized queries as well.

Re:It's 2015 already, sanitize your damn inputs!

[jafiwam]

Why just services facing the internet?

Even services facing just the LAN/DMZ should sanitize their inputs. If an attacker manages to compromise one host, don't make it easy to compromise the rest.

It's likely that the user agent string was not considered "input" any more than the IP address in the log is.

Even now, among clueful people, there are those that don't realize the user agent in a browser can be arbitrarily changed.

Re: It's 2015 already, sanitize your damn inputs!

You don't need a compiler to "program" the Web.

Re:It's 2015 already, sanitize your damn inputs!

[Tablizer]

Define "sanitize" in this case. What is and isn't a valid user-agent string? (and considering future devices that haven't been invented yet.)

Re:It's 2015 already, sanitize your damn inputs!

[Tablizer]

That doesn't change the problem here I don't believe. It probably wasn't database injection, but PHP injection. It's not the "storage", but the processing (in PHP) that caused the problem here.

Re: It's 2015 already, sanitize your damn inputs!

You're unnecessarily fixated on SQL injection. That's not the only form of attack. All input should be sanitized. Parameterization is only specific to SQL-targetting attacks

Re:It's 2015 already, sanitize your damn inputs!

The mysql_escape_string will escape your string just as fine as the _real_version

If that was true then the second would be rather pointless. Why add a more costly version of the same function when the first is just fine? In reality both are rather flawed and prepared statements are considered the state of the art ( except of course that depending on back end and default settings PHP may emulate prepared statements ).

As to why the real one is better? the real actually knows what charset is used by the database server and can escape the provided string accordingly instead of wrongly assuming the local charset of the frontend. This is of course irrelevant when you operate like slashdot and everything you know is and will always be good old US-ASCII, no need to account for unicode or different encodings.

Re:I've been wondering which product was the targe

The target is to serve malware. If they can easily exploit a widely used package to spread malware, the phish jump right in the boat.

WHY?!?

[Aethedor]

Seriously, how can this still be possible?? Don't developers ever learn? Use / develop a secure database driver and let ALL your database queries go though that driver. And when I say ALL, I actually mean ALL!!! We've had SQL injections 20 years ago. There is no excuse to have your application vulnerable for this ancient shit! Really.

I know that my rant tells nothing new, but as a security professional, this shit is really starting to annoy me. I see this shit every week. And because of developers not being able to write secure code, companies get hacked, personal information gets stolen, governments act tough and come up with all sorts of security theater bullshit which results in my privacy getting invaded. So, yes, incompetent developers fucking their shit affects me personally! I really hate incompetent developers...

Re:WHY?!?

[CastrTroy]

I'm surprised that they haven't made a database driver that requires you to use parameters for all queries. Basically the query should refuse to run and throw an exception if it finds a place where you provided a literal value instead of providing it via a parameter.

The entire idea of even having an "escape string" function is stupid because there will be places where people forget to use it. Especially when there are cases where you're not supposed to use it, such as when you have a variable that represents a number.

Re:WHY?!?

Don't developers ever learn?

Yeah they do, unfortunately they move on to bigger and better things and then the "next big thing" comes along and brand new developers jump into it and repeat the same mistakes from the previous generation. It's almost a microcosm of all the problems in the world today - history repeats itself etc. etc....

Re:WHY?!?

[emiliano.heyns]

It's not something the driver can sensibly do. It would have to host a full-blown SQL syntax parser to do this.

Re:WHY?!?

Exactly. It's not like it's a Microsoft product where you fully expect oceans of security holes. And you know the TCO is way, way higher than just the license costs.

But this is an open source project which means it should (must!) be more secure given all the eyes on the code.

So what's going on? Is my reality collapsing in on itself??? Someone hold me, please!!

Re:WHY?!?

DB injection will never go away, where the code modification takes place is all that will change. Like replacing the parameters in ram. Shell codes are dead, long live shell codes!

The question I have is why are these massive mostly crappy databases the defacto standard storage for EVERYTHING, regardless of how well it would (or wouldn't) benefit from a complete RDBMS.

Re:WHY?!?

I'm surprised that they haven't made a database driver that requires you to use parameters for all queries. Basically the query should refuse to run and throw an exception if it finds a place where you provided a literal value instead of providing it via a parameter.

Thus proving that you haven't ever done database development.

What is the difference between the following two queries?
1) SELECT * FROM FooTable WHERE FooTypeID = 7 AND FooID = @FooID (Then set the @FooID parameter.)
2) SELECT * FROM FooTable WHERE FooTypeID = @FooTypeID AND FooID = @FooID (then set parameters @FooTypeID to 7 and @FooID to the same as above.)

Answer: none that any part of the database connector, query parser, or anything else can tell. Because maybe you just wanted a hard-coded filter on FooTypeID and it's never a variable. Or maybe you're a complete dumbass and you're building a SQL string variable somewhere and you fed the resulting possibly-unsanitized value into the connector library. No piece of code has enough information to tell which one of those things is true.

You can't fix stupid and you can't buy taste. This problem falls into the first category. Let the bad programmers do bad work. Let the cheapass managers get bit by the bad, cheap work they buy. And last but not least, let the blackhats do their job of culling the herd. Let the house of cards collapse, and be sure that you're there with your skills to pick up the pieces and make it work the right way after the dust settles.

Re:WHY?!?

Frustrates the hell out of me. At work we bought and are implementing a GRC SaaS tool to deal with 3rd party risk assessments. Very first bug I discovered was a SQL injection bug, reported the issue and it was "fixed" by input validation at the web form level. Copy and pasting still allowed the characters to be input and the fundamental flaw wasn't fixed. A security compliance tool that doesn't do good security itself!

Re:WHY?!?

The Joomla developers in particular are really bad at this. Sadly, Joomla is the "Facebook" of content management. Easy to use, "everybody" uses it, tons of plugins. I'm fully aware of how shit Joomla is but even I have a few Joomla sites. With that said, those sites are currently being migrated to other systems when the jackass Joomla developers officially stopped supporting previous releases and the upgrade path utterly failed.

Re:WHY?!?

[Gr8Apes]

It can be done if you wrap the SQL up in an API. Then you have no choice but to use the API. Note that this does reduce your ability to run adhoc queries just a touch, but then again, that's the problem in the first place.

Re:WHY?!?

[DarkTempes]

Except I don't think this is actually an SQL injection and so you could have the most secure database driver with prepared statements and all of that jazz and it probably wouldn't matter.

It looks like (the details I've read are pretty slim) it's actually a php object injection. Apparently, this has happened to Joomla before.

Basically it sounds like the useragent string is stored in the database correctly (but unverified and/or unsanitized) and then other code is pulling it from the database and trusting that it is a safe string when it's not. It's actually a string of a serialized php object. But they trust their database so they unserialize it and Bad Things(TM).
I could have that wrong, I haven't coded PHP in almost a decade.

Re:WHY?!?

[Tablizer]

Except I don't think this is actually an SQL injection... it's actually a php object injection...

While I usually remember to sanitize strings, situations often occur where you need legitimate punctuation or character patterns that you didn't or couldn't anticipate up front. It then errors out and makes the developer, me, look bad.

Can one anticipate all legitimate future User-Agent string patterns up front? Who knows what wazoo devices will be invented in the future.

Basically one is weighing an approximately 1 in 100 chance a hacker getting in from an injection attack versus roughly a 1 in 5 chance that scrubbing will create practical problems for legitimate users (considering all the data collected from multiple sources and fields over time).

Preventing the hacker is probably the "right thing to do", but it could hurt ones career in practice as users complain about occasional filter errors.

One is weighing high-occurrence-low-damage events against low-occurrence-high-damage events. Since the worse that can happen to a developer is that he/she gets fired and loses a resume reference, most of the risk falls on the org, not the dev. The temptation is to dump the risk on the org by limiting value scrubbing.

It's a tricky philosophical and ethics decision. Humans generally weigh such based on their wallet, not loyalty to the org (especially since orgs rarely return loyalty these days).

Re:WHY?!?

You can do this with good languages. I've seen it done with languages which distinguish between compile-time strings and run-time strings. You could even use loops to build e.g. "where ... in" queries, so long as each string was a compile-time constant and the loop was evaluated at macro-expansion time.

Re:WHY?!?

[slazzy]

Correct, there's even ways to spoof an IP address and turn it into an SQL injection. Poor bobby tables.

Re:WHY?!?

[Aethedor]

Hmm, you're absolutely right. I must admit that I didn't read the article well enough. I guess I've grown too tired of this shit to read it all carefully. However, it doesn't really matter. SQLi, XSS, CSRF, file inclusion, remote command execution, it's all the same shit to me. Incompetent developers only caring about getting it to work, not knowing what they're actually doing. The result of their fumbling is still the same.

Re:WHY?!?

[AC-x]

Basically one is weighing an approximately 1 in 100 chance a hacker getting in from an injection attack versus roughly a 1 in 5 chance that scrubbing will create practical problems for legitimate users (considering all the data collected from multiple sources and fields over time).

What practical problem could treating something like a user agent string as a raw string value possibly cause?

Re:WHY?!?

I think the biggest problem here is using eval() to execute PHP code stored in the database.

Another case of "most stupid coder possible"...

[gweihir]

Really, this is old, well known, easy to avoid. People that make mistakes like this have no business programing. The real problem is very likely though that management hired the cheapest people it could get.

Re:Another case of "most stupid coder possible"...

[emiliano.heyns]

Really, this is old, well known, easy to avoid. People that make mistakes like this have no business programing. The real problem is very likely though that management hired the cheapest people it could get.

It's an open source project. There's no hiring people involved. Read up before you comment.

Re:Another case of "most stupid coder possible"...

[gweihir]

Not really that much different. There is letting people with no clue contribute involved. Also quite a few contributors to FOSS projects _are_ hired, most not by the project itself, but sometimes even that. But I guess you did not know that little well-known detail.

So wtf is..

Oh that's what it is, some form of web content management system written in php.

Re:InB4 PHP blame!

InB4 PHP and MySQL blame.

There fixed it for you.

Astounding

[JustAnotherOldGuy]

Really, it's astounding that after all this time, major software apps still don't sanitize their input.

It'd be hilarious if it wasn't so sad.

There are dozens of decent sanitizer scripts and utilities out there, FFS, pick one and use it.

Re:Astounding

[gustygolf]

I don't sanitise my input. I sanitise my output. And you should too.

Besides, "sanitise" is the wrong word. "Escape" is better. "Sanitise" tends to be irreversible. If it fails, you can try to do a post-mortem and still have no clue what went wrong since sanitising threw away everything important.

use parameterized statements you moron

It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

Programmers like you are the fucking problem.

You don't sanitize your inputs, you use fucking parameterized statements to access the database; always. If you have to do any sanitizing beyond that you need to pick a different language; one where you can't escape string data and transform it into run time code.

Re:use parameterized statements you moron

[stoborrobots]

Who said anything about databases?

You need to sanitize the inputs before you:

• Send them back to the user in html.
• Pass them off to another program
• Send them to your bank or credit card processor
• Print them onto the worklist for the staff in the factory
• Send the coordinates to the missile guidance system

I don't care about your fucking database and your fucking parametrized statements, you still need to verify that your inputs are sane.

Re:use parameterized statements you moron

[stoborrobots]

What is the difference between "business rules that need to be validated and checked" and "sanitize your inputs"?

(Hint: "this field should not contain semicolons" is just as much a sanity check/validation as "this field contains a latitude entry and thus should be between -90 and 90".)

Won't work in this case...

[bennebw]

" Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently." Banning them from compilers wouldn't stop them here....Joomla is PHP. Just upload the file uncompiled and watch the magic happen :P

both, because bad guys are bad and libs exist

[raymorris]

Parameterized queries can certainly help reduce injections, and they should be used.

Also, if the quantity field is supposed to be in the range 1-50, don't accept quantity = "1 ;`exec rm -rf /`"
That's obviously an attack and nothing good is going to come from that transaction, so terminally cleanly but quickly. You don't need to store an order for that number of tickets.

A couple of significant security issues have been related to later statistical analysis of the data. The real-time application handled it fine by parameterizing it or escaping it properly, but later summary statistics were generated by a tool that was exploited by specially-crafted strings. Why allow that? You know the input is crap, so why knowingly send crap to other libraries or systems? There's no need to "correctly" send hack attempts down the line. If it's supposed to be a hostname, but it contains backticks and semicolons, stop it right there. No need to pass that to getbyhostbyname() or anywhere else, other than your security monitoring systems.

Joomla suuuuucks

Garbage. Far worse than Drupal which is worse than WordPress which at least isn't Drupal.
Need six static web pages? Here have some epic bloat.

Wow

[kelemvor4]

succuri did something other than fuck up my favorite forums? Finally!

where do you see a quantity field posting a messag

[raymorris]

I see you managed to post a message. Where exactly do you see a "quantity" field on the posting form? Did I put some character other than digits in that quantity field? Do you see any numeric fields? Hint - there are some. If the numeric fields on this form accept free-form text and put it in the database, the programmers fucked up. Give that a try. See if you can put words in the numeric fields on this form.

Because it's Doctrine

[sphix42]

Doctrine 2 has this. It's a Lexer/Parser combo, not just a parser. In Doctrine 2 the dialect is DQL which is transformed to SQL for the particular driver dialect. I understand there are several ORMs across the languages but Doctrine 2 stands on top.

The proof is in the bad code

https://github.com/joomla/joomla-cms/commit/995db72ff4eaa544e38b4da3630b7a1ac0146264#diff-aba80b5850bf0435954b29dece250cbfL1011
```php
if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))
```

This line was removed and the HTTP_USER_AGENT is no longer stored in the session, which could be stored in the database.
But read the code: Security through an in_array? fix_browser as a string?

I'm still looking forward to what PSR-7 components will come out of the Joomla camp.

Re:I've been wondering which product was the targe

[ls671]

Well, I have been seeing really strange Cookie, Host, Connection, request strings, etc. for ever and I sometimes wonder what the target is. Don't take for granted those pokes are only targeted at joomla.

Re:where do you see a quantity field posting a mes

Wow, you weren't very fucking clear about what you meant.

That crap wouldn't even make it past my facade layer because your quantity value would be cast as an integer value, and get kicked back as an error. And if your database or services are properly setup, it's still not an issue.

There should always be validation on the front end, but that's only for honest users and is never to be trusted. Once again, never trust form validation, but always do it. On the back end, string data is always string data (even `rm -rf /` or ') drop database system; -- ) is legit input as it is here; numeric data is always numeric and just fails without worrying about validation; string based numeric data OTOH for example CC info, need special validation rules that frequently go beyond sanitizing inputs and those should be covered in the requirements. If you have to start thinking about sanitizing inputs and stop using parameterized statements; you're going to get fucked, so concentrate on doing it well and right, not fast and easy.

If you code your shit right; you don't think about sanitizing inputs; you just think about the business rules and writing solid code you have no problem. (My code has survived security audits, penetration tests, third party PCI compliance, and HIPPA audits; I try and even break it when I find a new vulnerability and I know the back end.)

Re: where do you see a quantity field posting a me

Really? It's HIPAA moron.

Re: where do you see a quantity field posting a me

1 line of Javascript is all it takes to turn that number-only input into a text one. That is CLIENT side... sanitize the inputs, they can't be trusted.