Issue 1

the Art of Joomla - Security Essentials

Stumping the Spoofers

It's official name is Cross Site Request Forgeries (CSRF) but we sometimes call it form spoofing for short. Under the right conditions a person can do a lot of things they are not supposed to do. 

A very common type of attack is where you, for example, have a Contact Us form. It's very easy for anyone to craft their own version of that form and automatically post messages through your server. I could effectively run a mail-blast by using the CC (carbon-copy) setting on the stock Joomla! Contact Us form (actually you can't because it's already hardened).

There are also other forms of attack which work if a user can trick you into clicking a link (in an email, or possibly on another site) while you are logged in as an administrator.

There are also lots of other possibilities. However, to counter these problems Joomla! comes to the rescue with a feature called the Session Token. The implementation is really simple - just a few lines of code to give you piece of mind.

Step 1 is to add the Session Token to your form, and make sure the form is using POST as the method.

<form method="post" action="<?php echo JRoute::_( 'index.php?option=com_test' );?>">
  <!-- Other form fields -->
  <input type="hidden" name="task" value="save" />
  <input type="hidden" name="<?php echo JUtility::getToken(); ?>" value="1" />
</form>

Step 2 is to add the Session Token check to your task in your component, like this:

/**
 * Saves the form
 */
function save()
{
  // perform token check (prevent spoofing)
  $token	= JUtility::getToken();
  if(!JRequest::getInt($token, 0, 'post')) {
    JError::raiseError(403, 'Request Forbidden');
  }
  // go do some other stuff now
}

That's all it takes to close a few more back doors to the attackers. For more information, Chris Shiflett has a good article.

Add Comment