Helix3 Joomla 3 Security Patch v1.0.0
Helix3 Joomla 3 Security Patch (v3.1.2 / Patch v1.0.0)
This release applies critical security hardening and patches for the Helix3 Framework (System and AJAX plugins) and the shaper_helix3 template on Joomla 3.10.x.
🛡️ Security Hardening
Authentication & Authorization
- Enforced administrator privileges (
core.admin/core.manageoncom_templates) and valid CSRF tokens for all admin AJAX actions (including layout save/load/remove, menu layout reset, settings import, Google font updates). - Enforced administrator privileges and CSRF validation on image upload and deletion endpoints.
- Added CSRF protection to the public article voting action.
- Implemented a strict allowlist (deny-by-default) for all administrative and public AJAX actions.
- Standardized JSON error responses for failed authorization/CSRF checks.
File & Path Safety
- Sanitized layout filenames to permit only alphanumeric, hyphen, and underscore characters.
- Implemented path resolution checks using
realpath()to completely block directory traversal attacks. - Restricted image deletion strictly to the
images/directory, preventing unauthorized file deletions outside the media root. - Replaced raw file system functions (
unlink,fopen) with safe, native JoomlaFileandFolderAPIs.
Input Validation
- Replaced direct access to raw
$_POSTwith the Joomla Input filter ($input->post->get()). - Restricted template imports and layout saves to a maximum payload size of 1 MB and enforced strict JSON schema validations.
- Cast all menu IDs and template style IDs to integers to prevent injection.
Secure Image Uploads
- Enforced a strict image file extension allowlist (
jpg,jpeg,png,gif,webp). - Hardened file upload security by validating with
File::makeSafe(), verification of MIME types via@getimagesize(), and checks against system upload limits.
Cross-Site Scripting (XSS) Prevention
- Escaped dynamic HTML outputs using HTML special characters throughout layout managers, menu layout operations, and font settings.
- Sanitized custom template parameters before rendering dynamic attribute strings.
Hardened Article Voting
- Restricted users to one vote per article per session.
- Implemented rate limiting (maximum 5 votes per 60 seconds per session).
- Verified article existence and publication status before processing votes.
- Used parameterized database queries and proxy-aware IP detection (
Joomla\Utilities\IpHelper) to prevent voting abuse.
⚙️ Other Changes & Fixes
- WebP Support: Added support for WebP format in AJAX thumbnail generation when the PHP GD extension has WebP functionality.
- Stability: Guarded menu item lookups to resolve potential null reference errors in layout rendering.
- Testing: Added security hardening tests to verify constraints are in place across the framework.