1. #101
    Sencha User
    Join Date
    Jun 2009
    Posts
    45
    Vote Rating
    5
    Max_nl is on a distinguished road

      1  

    Default


    Vulnerability

    This backend -like probably all other Ext.Direct implementations- is vulnerable to Cross-Site Request Forgery attacks.
    If an attacker is able to trick a user that is currently logged into an Ext.JS webapplication to visit the attacker's website, it allows the attacker to execute arbritary Ext.Direct methods.

    E.g. the attacker's website could include code like this:

    HTML Code:
    <form id="attackform" method="post" action="http://your-server/your-extdirect-script.php">
    <input type="hidden" name="extTID" value="1">
    <input type="hidden" name="extType" value="rpc">
    <input type="hidden" name="extAction" value="classname">
    <input type="hidden" name="extMethod" value="somePrivilegedMethod">
    <input type="hidden" name="p1" value="someParameter">
    <input type="submit">
    </form>
    <script>document.getElementById("attackform").submit()</script>
    Causing somePrivilegedMethod(someParameter) to be executed.
    In a typical webapplication using PHP sessions, this will occur under the privileges of the authenticated user as the browser will send the session cookie it has for your-server with the request.

    Patch

    This patch attempts to prevent the problem by using the double submit cookies pattern
    An unique cookie is set when the browser fetches the API with <script src="your-extdirect-script.php?javascript"></script> and the backend expects the value of that cookie to be transmitted as request variable with every request.

    Code:
        protected function call_action()
        {
            $class = $this->action;
            
            // Accept only calls to classes defined at "api_classes" configuration
            if ( !in_array( $class, ExtDirect::$api_classes ) )
                throw new Exception( 'Call to undefined or not allowed class ' . $class, E_USER_ERROR );
            
            // Do not allow calls to magic methods; only allow calls to methods returned by "get_class_methods" function
            if ( ( substr( $this->method, 0, 2 ) == '__' ) || !in_array( $this->method, get_class_methods( $class ) ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
            
            // Do not allow calls to methods that do not pass the declare_method_function (if configured)
            if ( !empty( self::$declare_method_function ) && !call_user_func( self::$declare_method_function, $class, $this->method ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
            
             // Verify double submit cookie to prevent CSRF attacks
            $token = '';
            if ( isset( $_GET['extToken'] ) )
                $token = $_GET['extToken'];
            else if ( isset( $_POST['extToken'] ) )
                $token = $_POST['extToken'];
            if ( empty( $_COOKIE['extToken'] ) || $_COOKIE['extToken'] != $token )
                throw new Exception( 'Double submit cookie value incorrect', E_USER_ERROR );
    
            
            $ref_method = new ReflectionMethod( $class, $this->method );
    Code:
        static public function get_api_javascript()
        {
            $template = <<<JAVASCRIPT
    
    if ( Ext.syncRequire )
        Ext.syncRequire( 'Ext.direct.Manager' );
    
    Ext.namespace( '[%namespace%]' );
    [%descriptor%] = [%actions%];
    Ext.Direct.addProvider( [%descriptor%] );
    Ext.Ajax.extraParams = { extToken: Ext.util.Cookies.get('extToken') };
    
    JAVASCRIPT;
    
            /* Set double submit cookie for CSRF protection */
            if ( empty( $_COOKIE['extToken'] ) )
            {
                if ( function_exists( 'openssl_random_pseudo_bytes' ) )
                    $rand = bin2hex( openssl_random_pseudo_bytes( 16 ) );
                else
                    $rand = uniqid();
                    
                setcookie( 'extToken', $rand );
            }
            
            $elements = array(
                '[%actions%]'    => self::get_api_json(),
                '[%namespace%]'  => ExtDirect::$namespace,
                '[%descriptor%]' => ExtDirect::$descriptor
            );
            
            return strtr( $template, $elements );
        }

  2. #102
    Sencha User salarmehr's Avatar
    Join Date
    Mar 2010
    Location
    Tehran
    Posts
    45
    Vote Rating
    1
    salarmehr is on a distinguished road

      0  

    Default Githup is a good home

    Githup is a good home


    Dear J. Bruni
    I would like to appreciate for your wonderful Ext Direct Implementation.
    I suggest putting the code on github. So we can contribute, report issues, adding documentations and examples and start the project.

  3. #103
    Sencha User
    Join Date
    Aug 2014
    Posts
    1
    Vote Rating
    0
    dlbaz is on a distinguished road

      0  

    Default


    Hi guys,
    Just trying to get this working in Sencha Touch 2 with no success.

    I added the .js librarys to the .js section in app.json

    Code:
            {            "path":"http://extjs.cachefly.net/ext-3.2.1/adapter/ext/ext-base.js",
                "remote": true
            },
            {
                "path":"http://extjs.cachefly.net/ext-3.2.1/ext-all.js",
                "remote": true
            },
            {
                "path":"ExtDirect/example.php?javascript"
                //Should this be remote too?
            },
    and tried to access the php object in Ext with no luck.

    Code:
    console.log( Ext.php );
    //prints out undefined
    Where is this php obejct created?

Turkiyenin en sevilen filmlerinin yer aldigi xnxx internet sitemiz olan ve porn sex tarzi bir site olan mobil porno izle sitemiz gercekten dillere destan bir durumda herkesin sevdigi bir site olarak tarihe gececege benziyor. Sitenin en belirgin ozelliklerinden birisi de Turkiyede gercekten kaliteli ve muntazam, duzenli porno izle siteleri olmamasidir. Bu yuzden iste. Ayrica en net goruntu kalitesine sahip adresinde yayinlanmaktadir. Mesela diğer sitelerimizden bahsedecek olursak, en iyi hd porno video arşivine sahip bir siteyiz. "The Best anal porn videos and slut anus, big asses movies set..." hd porno faketaxi