Page 11 of 11 FirstFirst ... 91011
Results 101 to 105 of 105

Thread: Extremely Easy Ext.Direct integration with PHP

  1. #101
    Sencha User
    Join Date
    Jun 2009
    Posts
    52
    Vote Rating
    21
      1  

    Default

    Vulnerability

    This backend -like probably all other Ext.Direct implementations- is vulnerable to Cross-Site Request Forgery attacks.
    If an attacker is able to trick a user that is currently logged into an Ext.JS webapplication to visit the attacker's website, it allows the attacker to execute arbritary Ext.Direct methods.

    E.g. the attacker's website could include code like this:

    HTML Code:
    <form id="attackform" method="post" action="http://your-server/your-extdirect-script.php">
    <input type="hidden" name="extTID" value="1">
    <input type="hidden" name="extType" value="rpc">
    <input type="hidden" name="extAction" value="classname">
    <input type="hidden" name="extMethod" value="somePrivilegedMethod">
    <input type="hidden" name="p1" value="someParameter">
    <input type="submit">
    </form>
    <script>document.getElementById("attackform").submit()</script>
    Causing somePrivilegedMethod(someParameter) to be executed.
    In a typical webapplication using PHP sessions, this will occur under the privileges of the authenticated user as the browser will send the session cookie it has for your-server with the request.

    Patch

    This patch attempts to prevent the problem by using the double submit cookies pattern
    An unique cookie is set when the browser fetches the API with <script src="your-extdirect-script.php?javascript"></script> and the backend expects the value of that cookie to be transmitted as request variable with every request.

    Code:
        protected function call_action()
        {
            $class = $this->action;
            
            // Accept only calls to classes defined at "api_classes" configuration
            if ( !in_array( $class, ExtDirect::$api_classes ) )
                throw new Exception( 'Call to undefined or not allowed class ' . $class, E_USER_ERROR );
            
            // Do not allow calls to magic methods; only allow calls to methods returned by "get_class_methods" function
            if ( ( substr( $this->method, 0, 2 ) == '__' ) || !in_array( $this->method, get_class_methods( $class ) ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
            
            // Do not allow calls to methods that do not pass the declare_method_function (if configured)
            if ( !empty( self::$declare_method_function ) && !call_user_func( self::$declare_method_function, $class, $this->method ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
            
             // Verify double submit cookie to prevent CSRF attacks
            $token = '';
            if ( isset( $_GET['extToken'] ) )
                $token = $_GET['extToken'];
            else if ( isset( $_POST['extToken'] ) )
                $token = $_POST['extToken'];
            if ( empty( $_COOKIE['extToken'] ) || $_COOKIE['extToken'] != $token )
                throw new Exception( 'Double submit cookie value incorrect', E_USER_ERROR );
    
            
            $ref_method = new ReflectionMethod( $class, $this->method );
    Code:
        static public function get_api_javascript()
        {
            $template = <<<JAVASCRIPT
    
    if ( Ext.syncRequire )
        Ext.syncRequire( 'Ext.direct.Manager' );
    
    Ext.namespace( '[%namespace%]' );
    [%descriptor%] = [%actions%];
    Ext.Direct.addProvider( [%descriptor%] );
    Ext.Ajax.extraParams = { extToken: Ext.util.Cookies.get('extToken') };
    
    JAVASCRIPT;
    
            /* Set double submit cookie for CSRF protection */
            if ( empty( $_COOKIE['extToken'] ) )
            {
                if ( function_exists( 'openssl_random_pseudo_bytes' ) )
                    $rand = bin2hex( openssl_random_pseudo_bytes( 16 ) );
                else
                    $rand = uniqid();
                    
                setcookie( 'extToken', $rand );
            }
            
            $elements = array(
                '[%actions%]'    => self::get_api_json(),
                '[%namespace%]'  => ExtDirect::$namespace,
                '[%descriptor%]' => ExtDirect::$descriptor
            );
            
            return strtr( $template, $elements );
        }

  2. #102
    Sencha User
    Join Date
    Aug 2014
    Posts
    1
    Vote Rating
    0
      0  

    Default

    Hi guys,
    Just trying to get this working in Sencha Touch 2 with no success.

    I added the .js librarys to the .js section in app.json

    Code:
            {            "path":"http://extjs.cachefly.net/ext-3.2.1/adapter/ext/ext-base.js",
                "remote": true
            },
            {
                "path":"http://extjs.cachefly.net/ext-3.2.1/ext-all.js",
                "remote": true
            },
            {
                "path":"ExtDirect/example.php?javascript"
                //Should this be remote too?
            },
    and tried to access the php object in Ext with no luck.

    Code:
    console.log( Ext.php );
    //prints out undefined
    Where is this php obejct created?

  3. #103
    Sencha Premium Member
    Join Date
    Mar 2010
    Posts
    141
    Vote Rating
    15
      0  

    Default

    I have modified this package a little bit and wrap it as laravel 4 service provider.https://github.com/Bulforce/laravel-ext-direct

  4. #104
    Sencha User
    Join Date
    Mar 2010
    Location
    Tehran
    Posts
    46
    Vote Rating
    1
      0  

    Default Github repository

    Since the original creator seems to leave the project, I have created a repository for the original code for any possible update and maintenance.

    https://github.com/salarmehr/ExtDirect.php

  5. #105
    Sencha User j.bruni's Avatar
    Join Date
    Jun 2009
    Location
    Uberlndia, MG, Brazil
    Posts
    106
    Vote Rating
    7
      0  

    Default

    Quote Originally Posted by salarmehr View Post
    Since the original creator seems to leave the project, I have created a repository for the original code for any possible update and maintenance.

    https://github.com/salarmehr/ExtDirect.php
    Yes - it's been a long time I do not use ExtJS nor any Sencha product anymore.

    Happy to see the community taking care of it. I see there are some significant contributions along the thread... these should be merged... I'm considering to update it, if I have some free time.

Page 11 of 11 FirstFirst ... 91011

Similar Threads

  1. Alternative Ext Direct PHP Implementation
    By TommyMaintz in forum Ext.Direct
    Replies: 37
    Last Post: 11 Feb 2015, 12:46 AM
  2. Ext.Direct PHP backend
    By ckr in forum Ext.Direct
    Replies: 34
    Last Post: 11 Jun 2012, 1:30 PM
  3. Easy Ext.Direct integration with PHP
    By j.bruni in forum Ext.Direct
    Replies: 2
    Last Post: 23 Jun 2010, 11:27 AM
  4. Simple Ext.Direct PHP apps
    By pkristiana in forum Community Discussion
    Replies: 1
    Last Post: 11 Feb 2010, 1:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •