Skip to content

Helix3 Joomla 3 Security Patch v1.0.0

Choose a tag to compare

@siddik-web siddik-web released this 15 Jul 11:10

Helix3 Joomla 3 Security Patch (v3.1.2 / Patch v1.0.0)

This release applies critical security hardening and patches for the Helix3 Framework (System and AJAX plugins) and the shaper_helix3 template on Joomla 3.10.x.

🛡️ Security Hardening

Authentication & Authorization

  • Enforced administrator privileges (core.admin / core.manage on com_templates) and valid CSRF tokens for all admin AJAX actions (including layout save/load/remove, menu layout reset, settings import, Google font updates).
  • Enforced administrator privileges and CSRF validation on image upload and deletion endpoints.
  • Added CSRF protection to the public article voting action.
  • Implemented a strict allowlist (deny-by-default) for all administrative and public AJAX actions.
  • Standardized JSON error responses for failed authorization/CSRF checks.

File & Path Safety

  • Sanitized layout filenames to permit only alphanumeric, hyphen, and underscore characters.
  • Implemented path resolution checks using realpath() to completely block directory traversal attacks.
  • Restricted image deletion strictly to the images/ directory, preventing unauthorized file deletions outside the media root.
  • Replaced raw file system functions (unlink, fopen) with safe, native Joomla File and Folder APIs.

Input Validation

  • Replaced direct access to raw $_POST with the Joomla Input filter ($input->post->get()).
  • Restricted template imports and layout saves to a maximum payload size of 1 MB and enforced strict JSON schema validations.
  • Cast all menu IDs and template style IDs to integers to prevent injection.

Secure Image Uploads

  • Enforced a strict image file extension allowlist (jpg, jpeg, png, gif, webp).
  • Hardened file upload security by validating with File::makeSafe(), verification of MIME types via @getimagesize(), and checks against system upload limits.

Cross-Site Scripting (XSS) Prevention

  • Escaped dynamic HTML outputs using HTML special characters throughout layout managers, menu layout operations, and font settings.
  • Sanitized custom template parameters before rendering dynamic attribute strings.

Hardened Article Voting

  • Restricted users to one vote per article per session.
  • Implemented rate limiting (maximum 5 votes per 60 seconds per session).
  • Verified article existence and publication status before processing votes.
  • Used parameterized database queries and proxy-aware IP detection (Joomla\Utilities\IpHelper) to prevent voting abuse.

⚙️ Other Changes & Fixes

  • WebP Support: Added support for WebP format in AJAX thumbnail generation when the PHP GD extension has WebP functionality.
  • Stability: Guarded menu item lookups to resolve potential null reference errors in layout rendering.
  • Testing: Added security hardening tests to verify constraints are in place across the framework.