Been getting spam for quite a while in a few of my JomSocial sites so decided to take a look into why. Spam messages were somehow being left by guest users even though guest access was disabled and permissions were set to members only for group discussions. After a short while I was easily able to replicate how to to do this myself.
So wanting to the the right thing and not publicly post the exploit for others to see and abuse I emailed JomSocial support with details of the exploit and how to fix it. After waiting for a while I got absolutely no response whatsoever. I then posted a message to their Facebook feed, same thing - absolutely no reply whatsoever. Pretty ironic considering that thier Facebook page is pretty active lately telling us what a great job they are doing improving JomSocial.
Hmmnnnn what to do?
So next I post a support thread on their forum. After a couple of weeks of not receiving any official reply I gave up any expectation of ever getting a reply and simply fixed my sites myself. I eventually received an email requesting that I give examples of the exploit, screen grabs and a whole bunch of other stuff that would take up heaps of my time. I politely declined saying that they had missed their chance but offering that they could engage me professionally if they wanted me fix their code. Not surprisingly there was no reply.
I left the issue at this figuring that as it had not really taken me much to figure it out, surely JomSocial would do the same. Well it seems that without me providing them with examples / screen grabs / server specs / etc / etc they simply chose to ignore the issue. Not exactly what I would call taking security seriously.
So having recently updated my sites I once again notice that I have received a bit of spam, obviously I have overwritten my fix. (oops) As I don't really want to run hacked code and would really prefer JomSocial to provide an official fix I've decided to force their hand into providing an update. So I decided to have a little fun - I decided to spam their demo site.
The initial round of comments were deleted pretty quickly, they simply said "THIS IS AN EXPLOIT I CAN POST TO YOUR GROUP WITHOUT BEING A MEMBER". After the initial comments were deleted I changed my comment to say "DO I HAVE YOUR ATTENTION NOW????". After a while the site was taken offline.
The exploit involves using a direct URL to edit a discussion post:
(try it and see - if they are yet to fix it the exploit will still work)
As long as the topicid is greater than the highest topicid stored in the database the editor will display and allow you to edit this 'ghost' post.
This means that there is no check to make sure the post exists before allowing you to edit it - This is Issue #1
Whats more amazing than this is that when the post is submitted there is no check in place to explicitly ensure that the author is not a guest. The post is submitted and accepted. - This is Issue #2
The check fails as it compares the current user which in the case of a guest is user 0 to the posts author which as the post does not technically exist is coincidentally also 0.
Whats also quite worrying is that the same philosophy for not explicitly checking for guest users is also employed just about everywhere else within the code. Admittedly it is not possible to call up the editor in the same manner but it would not surprise me to find that if I constructed direct a http request I could also post to other parts of the site whilst being a guest.
I decided to post the exploit here as I'm a bit annoyed in the way in which JomSocial handled the issue and the absolute lack of support in this area. I was very surprised to find that they had done absolutely nothing about it.
Lets see how long it takes them to fix the issue.