Joomla Security Release 3.6.4: Breaking the Code by Fixing It

Many people will have noticed (including a lot of bad guys) that there is a security release of the Joomla! content management system.

Previous versions contain a vulnerability which allows a malicious person to register a user account on a Joomla site by carefully crafting their own html form, even when user registration has been turned off, and also to manipulate the user group. This is done by accessing a vulnerable controller in components/com_users/controllers/user.php, which includes a register task that does not check the site configuration or properly validate the data.

The controller has been around since Joomla 1.6, so it has left a lot of people wondering if older versions of Joomla are vulnerable, such as 2.5 which is still widely used. In fact the good news is that older versions are not.

If you try to submit a crafted html form to a Joomla 2.5 site, you get the following fatal error:-

Warning: Missing argument 2 for JModelForm::validate(), called in components/com_users/controllers/user.php on line 114 and defined in /libraries/joomla/application/component/modelform.php on line 258 Fatal error: Call to a member function filter() on a non-object in /libraries/joomla/application/component/modelform.php on line 261

Or something similar depending on your exact version. The reason for this is that the user controller includes a coding error, it uses

$return = $model->validate($data);

 instead of
$return = $model->validate($form, $data);
so that it fails because the data object is null when the model is called to register the user.
Then in Joomla 3.4.4 someone helpfully fixed the coding error in the controller without asking themselves what on earth the controller was doing. I am sure they meant well, I think it would be unfair to blame only the person that fixed the code, these things are supposed to be tested. But still, it opened the CMS up to a serious vulnerability.

Leave a Comment on this post