Support

Admin Tools

#10166 iFrame Support

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by earthrat on Wednesday, 21 December 2011 16:49 CST

Wednesday, 21 December 2011 11:21 CST

earthrat
A client of mine has hired a developer to build a survey for her site and I tested it (not knowing squat about this) and was able to write some php and js code in the comments section and it saved to the database. It does not rewrite the code back when someone views the results but I am worried that this is still a problem waiting to happen?

Does Admin Tools have the capacity to monitor this external code since it is used in an iFrame or do I need to worry?

Nicholas, you are the only bad ass security dude I know and any advice you have would be a huge help...;)

Wednesday, 21 December 2011 12:02 CST

nicholas
No, Admin Tools will not be able to protect that. Admin Tools only protects anything which loads through Joomla!'s index*.php files. Obviously, this excludes your client's custom script. Depending on the skill of the developer and the attention to security he gave I could be extremely worried about it.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 21 December 2011 12:26 CST

earthrat
That is what I was afraid of, thanks for the feedback. What concerns me most is this writes the code as written to the database and stores it. I don't know but it seems to me this is a classic way to inject code into the database.

Wednesday, 21 December 2011 13:19 CST

nicholas
Yes, it is potentially very insecure and that's why I have created the SQLiShield for Admin Tools :) Unfortunately, you can't do much about the custom script except hope that its developer understands security basics.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 21 December 2011 13:28 CST

earthrat
He wrote a survey using the Yii Framework and I dont think he did anything other than put it together. Are you familiar with this framework?

http://www.yiiframework.com/

Wednesday, 21 December 2011 14:59 CST

nicholas
I have not used it. As every framework, if he used it to sanitise the input data and escape it before inserting it to the database, it'll be fine. If he ignored that and pushed around raw data, it's insecure. That's as specific as I can get :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 21 December 2011 15:27 CST

earthrat
That is a perfect explanation and although I am no where near as skilled as you are I came to the same conclusion.

Wednesday, 21 December 2011 15:46 CST

earthrat
You would not happen to have a small bit of code or a link to something I could use (or a tutorial of sorts) to test with to see if the code is being sanitised? Something that I could put in the field and then see in the database to make sure it is clean?

Sorry Nic, I know my question is out of line and I am sorry if I am just wasting your time...;)

Wednesday, 21 December 2011 16:06 CST

nicholas
If only it was that simple :D You need to do penetration testing, which is a lengthy and expensive process. If you really want that, I do know people who can do that for a fee.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 21 December 2011 16:49 CST

earthrat
That would be great Nic, can you send me information on this please and thanks for all your help!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!