Fix security vulnerabilities: XSS, open redirect, path traversal, IDOR

claude · bcordis · commit f8a3fc5c26e2 · 2026-03-18T20:52:37.000-05:00
- Fix reflected XSS in admin cpanel by escaping user-supplied msg parameter - Fix stored XSS in comment text output with htmlspecialchars() - Fix XSS in JavaScript context in podcast template using json_encode() - Fix open redirect in CwmsermonsController, CwmmediafileController, and CwmadminController by validating base64-decoded return URLs with Uri::isInternal() - Fix path traversal in backup restore by sanitizing upload filename with File::makeSafe() and basename() - Fix IDOR in download helper by checking published status and user access levels before serving media files - Sanitize Content-Disposition filename header to prevent header injection - Escape user-supplied handler name in error messages https://claude.ai/code/session_01Eq9nzEFGHytEtgTiUgTEHt
diff --git a/admin/src/Controller/CwmadminController.php b/admin/src/Controller/CwmadminController.php
@@ -21,11 +21,11 @@
 use CWM\Component\Proclaim\Administrator\Helper\Cwmalias;
 use CWM\Component\Proclaim\Administrator\Helper\CwmcsvimportHelper;
 use CWM\Component\Proclaim\Administrator\Helper\CwmdbHelper;
-use CWM\Component\Proclaim\Administrator\Helper\CwmschemaorgHelper;
 use CWM\Component\Proclaim\Administrator\Helper\CwmdescriptionHelper;
 use CWM\Component\Proclaim\Administrator\Helper\CwmImageCleanup;
 use CWM\Component\Proclaim\Administrator\Helper\CwmImageMigration;
 use CWM\Component\Proclaim\Administrator\Helper\Cwmparams;
+use CWM\Component\Proclaim\Administrator\Helper\CwmschemaorgHelper;
 use CWM\Component\Proclaim\Administrator\Helper\CwmserverMigrationHelper;
 use CWM\Component\Proclaim\Administrator\Helper\Cwmthumbnail;
 use CWM\Component\Proclaim\Administrator\Helper\CwmupgradeHelper;
@@ -42,6 +42,7 @@
 use Joomla\CMS\MVC\Controller\FormController;
 use Joomla\CMS\Router\Route;
 use Joomla\CMS\Session\Session;
+use Joomla\CMS\Uri\Uri;
 use Joomla\Database\DatabaseInterface;
 use Joomla\Filesystem\Folder;
 use Joomla\Registry\Registry;
@@ -2153,10 +2154,10 @@ public function schemaSyncXHR(): void
             }
 
             echo json_encode([
-                'success'  => true,
-                'count'    => $total,
-                'counts'   => $counts,
-                'message'  => $message,
+                'success' => true,
+                'count'   => $total,
+                'counts'  => $counts,
+                'message' => $message,
             ], JSON_THROW_ON_ERROR);
         } catch (\Exception $e) {
             echo json_encode([
@@ -2194,7 +2195,8 @@ public function schemaForceRefresh(): void
             }
         }
 
-        $redirect = $return ? base64_decode($return) : 'index.php?option=com_proclaim';
+        $decoded  = $return ? base64_decode($return) : '';
+        $redirect = ($decoded && Uri::isInternal($decoded)) ? $decoded : 'index.php?option=com_proclaim';
         $app->redirect($redirect);
     }
 
diff --git a/admin/src/Controller/CwmmediafileController.php b/admin/src/Controller/CwmmediafileController.php
@@ -162,7 +162,7 @@ public function xhr(): void
             $app = Factory::getApplication();
             $app->close();
         } else {
-            throw new \RuntimeException(Text::sprintf('Handler: "' . $handler . '" does not exist!'), 404);
+            throw new \RuntimeException(Text::sprintf('Handler: "%s" does not exist!', htmlspecialchars($handler, ENT_QUOTES, 'UTF-8')), 404);
         }
     }
 
@@ -244,8 +244,14 @@ public function cancel($key = null): bool
             }
         }
 
-        if ($this->input->getCmd('return') && parent::cancel($key)) {
-            $this->setRedirect(base64_decode($this->input->getCmd('return')));
+        $return = $this->input->getCmd('return');
+
+        if ($return && parent::cancel($key)) {
+            $decoded = base64_decode($return);
+
+            if ($decoded && Uri::isInternal($decoded)) {
+                $this->setRedirect($decoded);
+            }
 
             return true;
         }
@@ -532,8 +538,12 @@ protected function postSaveHook($model, $validData = []): void
         $task   = $this->input->get('task');
 
         if ($return && $task !== 'apply') {
-            Factory::getApplication()->enqueueMessage(Text::_('JBS_MED_SAVE'), 'message');
-            $this->setRedirect(base64_decode($return));
+            $decoded = base64_decode($return);
+
+            if ($decoded && Uri::isInternal($decoded)) {
+                Factory::getApplication()->enqueueMessage(Text::_('JBS_MED_SAVE'), 'message');
+                $this->setRedirect($decoded);
+            }
         }
     }
 
diff --git a/admin/src/Lib/Cwmrestore.php b/admin/src/Lib/Cwmrestore.php
@@ -477,7 +477,8 @@ public function getPackageFromUpload(): bool|array
 
         // Build the appropriate paths
         $config   = Factory::getApplication()->getConfig();
-        $tmp_dest = $config->get('tmp_path') . '/' . $userFile['name'];
+        $safeName = File::makeSafe($userFile['name']);
+        $tmp_dest = $config->get('tmp_path') . '/' . basename($safeName);
         $tmp_src  = $userFile['tmp_name'];
 
         // Move an uploaded file.
diff --git a/admin/tmpl/cwmcpanel/default.php b/admin/tmpl/cwmcpanel/default.php
@@ -38,10 +38,10 @@
 
 $msg   = '';
 $input = Factory::getApplication()->getInput();
-$msg   = $input->get('msg');
+$msg   = $input->getString('msg', '');
 
 if ($msg) {
-    echo $msg;
+    echo htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
 }
 
 $simple = Cwmhelper::getSimpleView();
diff --git a/site/src/Controller/CwmsermonsController.php b/site/src/Controller/CwmsermonsController.php
@@ -18,6 +18,7 @@
 use CWM\Component\Proclaim\Site\Model\CwmsermonsModel;
 use Joomla\CMS\Factory;
 use Joomla\CMS\MVC\Controller\BaseController;
+use Joomla\CMS\Uri\Uri;
 
 // phpcs:disable PSR1.Files.SideEffects
 \defined('_JEXEC') or die;
@@ -66,9 +67,14 @@ public function playHit(): void
         CwmanalyticsHelper::logEvent('play', 0, $id);
 
         // Now the hit has been updated will redirect to the url.
-        $return = $app->getInput()->get('return');
-        $return = base64_decode($return);
-        $app->redirect($return);
+        $return = $app->getInput()->getBase64('return', '');
+        $return = $return ? base64_decode($return) : '';
+
+        if ($return && Uri::isInternal($return)) {
+            $app->redirect($return);
+        } else {
+            $app->redirect('index.php');
+        }
     }
 
     /**
diff --git a/site/src/Helper/Cwmdownload.php b/site/src/Helper/Cwmdownload.php
@@ -77,7 +77,8 @@ public function download(int $mid): void
                 $db->quoteName('#__bsms_servers') . ' ON ('
                 . $db->quoteName('#__bsms_servers.id') . ' = ' . $db->quoteName('#__bsms_mediafiles.server_id') . ')'
             )
-            ->where($db->quoteName('#__bsms_mediafiles.id') . ' = ' . $mid);
+            ->where($db->quoteName('#__bsms_mediafiles.id') . ' = ' . $mid)
+            ->where($db->quoteName('#__bsms_mediafiles.published') . ' = 1');
         $db->setQuery($query, 0, 1);
 
         $media = $db->loadObject();
@@ -86,6 +87,14 @@ public function download(int $mid): void
             $this->sendError($app, 404, 'Media not found');
         }
 
+        // Verify the current user has the required access level
+        $user         = $app->getIdentity();
+        $accessLevels = $user->getAuthorisedViewLevels();
+
+        if (isset($media->access) && !\in_array((int) $media->access, $accessLevels, true)) {
+            $this->sendError($app, 403, 'Access denied');
+        }
+
         // Increment download count after validation
         $this->hitDownloads($mid);
 
@@ -145,7 +154,8 @@ public function download(int $mid): void
 
         header('Content-Description: File Transfer');
         header('Content-Type: application/octet-stream');
-        header('Content-Disposition: attachment; filename="' . basename($params->get('filename')) . '"');
+        $safeFilename = preg_replace('/[^\w.\-]/', '_', basename($params->get('filename')));
+        header('Content-Disposition: attachment; filename="' . $safeFilename . '"');
         header('Expires: 0');
         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
         header('Cache-Control: private', false);
diff --git a/site/tmpl/cwmseriespodcastdisplay/default.php b/site/tmpl/cwmseriespodcastdisplay/default.php
@@ -88,16 +88,16 @@
                                 ); ?>
                                 <td>
                                     <?php
-                                    echo stripslashes($item->studytitle); ?>
+                                    echo htmlspecialchars(stripslashes($item->studytitle), ENT_QUOTES, 'UTF-8'); ?>
                                 </td>
                                 <td>
                                     <?php
                                     echo HTMLHelper::Date($item->createdate); ?>
                                 </td>
                                 <td>
-                                    <a href="javascript:loadVideo('<?php
-                                    echo $path1; ?>', '<?php
-                                    echo $item->series_thumbnail; ?>')">
+                                    <a href="javascript:loadVideo(<?php
+                                    echo htmlspecialchars(json_encode($path1), ENT_QUOTES, 'UTF-8'); ?>, <?php
+                                    echo htmlspecialchars(json_encode($item->series_thumbnail), ENT_QUOTES, 'UTF-8'); ?>)">
                                         <?php
                                         echo Text::_('JBS_CMN_LISTEN'); ?>
                                     </a>
diff --git a/site/tmpl/cwmsermon/default_commentsform.php b/site/tmpl/cwmsermon/default_commentsform.php
@@ -83,7 +83,7 @@ class="btn btn-outline-secondary heading<?php echo $pageclassSfx; ?>"
                                     </span>
                                 </div>
                                 <div class="comment-text">
-                                    <?php echo $comment->comment_text; ?>
+                                    <?php echo htmlspecialchars($comment->comment_text, ENT_QUOTES, 'UTF-8'); ?>
                                 </div>
                             </div>
                         <?php endforeach; ?>

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ public function xhr(): void`
`162`	`162`	`$app = Factory::getApplication();`
`163`	`163`	`$app->close();`
`164`	`164`	`} else {`
`165`		`- throw new \RuntimeException(Text::sprintf('Handler: "' . $handler . '" does not exist!'), 404);`
	`165`	`+ throw new \RuntimeException(Text::sprintf('Handler: "%s" does not exist!', htmlspecialchars($handler, ENT_QUOTES, 'UTF-8')), 404);`
`166`	`166`	`}`
`167`	`167`	`}`
`168`	`168`
`@@ -244,8 +244,14 @@ public function cancel($key = null): bool`
`244`	`244`	`}`
`245`	`245`	`}`
`246`	`246`
`247`		`- if ($this->input->getCmd('return') && parent::cancel($key)) {`
`248`		`- $this->setRedirect(base64_decode($this->input->getCmd('return')));`
	`247`	`+ $return = $this->input->getCmd('return');`
	`248`	`+`
	`249`	`+ if ($return && parent::cancel($key)) {`
	`250`	`+ $decoded = base64_decode($return);`
	`251`	`+`
	`252`	`+ if ($decoded && Uri::isInternal($decoded)) {`
	`253`	`+ $this->setRedirect($decoded);`
	`254`	`+ }`
`249`	`255`
`250`	`256`	`return true;`
`251`	`257`	`}`
`@@ -532,8 +538,12 @@ protected function postSaveHook($model, $validData = []): void`
`532`	`538`	`$task = $this->input->get('task');`
`533`	`539`
`534`	`540`	`if ($return && $task !== 'apply') {`
`535`		`- Factory::getApplication()->enqueueMessage(Text::_('JBS_MED_SAVE'), 'message');`
`536`		`- $this->setRedirect(base64_decode($return));`
	`541`	`+ $decoded = base64_decode($return);`
	`542`	`+`
	`543`	`+ if ($decoded && Uri::isInternal($decoded)) {`
	`544`	`+ Factory::getApplication()->enqueueMessage(Text::_('JBS_MED_SAVE'), 'message');`
	`545`	`+ $this->setRedirect($decoded);`
	`546`	`+ }`
`537`	`547`	`}`
`538`	`548`	`}`
`539`	`549`