The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Extensions for Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 19 posts ] 
  Print view Previous topic | Next topic 
Author Message
JComeskey
PostPosted: Sat Dec 31, 2011 6:31 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
So I am VERY sad that my beloved QContacts has a sql injection vulnerability. Let me be clear: ALL of the other 1.5-native contact forms SUCK in comparison.

I have contacted the latenightcoding developer on several occasions, but he has not responded to the vulnerability - either publicly or privately. So I assume that he is either dead or not interested in supporting his component any longer.

Does anyone have any suggestions for how to properly sanitize the filter order parameter to solve this vulnerability? (http://secunia.com/advisories/47238/)

If so, please advise. Thanks!!!

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
JComeskey
PostPosted: Sun Jan 01, 2012 2:54 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
OK, with the help of Brian Lavelle at belcommunications.net, we've made a few changes to the QContacts 1.0.6 code, including switching the function from "JRequest::getString" to "JRequest::getVar" to filter out all HTML and trailing whitespace from form values. And a few other tweaks.

Either way, we believe that the original reported risk was related to admin backend sorting only. So anyone that is hiding their backend access (with KSecure or some other tool) can probably consider this to be very low risk.

We have also decided to use Marco's SQL Injection plugin (http://extensions.joomla.org/extensions ... tion/12731) as an additional layer of protection for all of our sites.
Attachment:
com_qcontacts_1062_revised.zip


You do not have the required permissions to view the files attached to this post.

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
kvdman
PostPosted: Fri Jan 06, 2012 4:44 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Nov 16, 2006 6:32 am
Posts: 41
thanks for this!
Top
 Profile  
 
brad210
PostPosted: Tue Jan 17, 2012 10:56 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Jan 17, 2012 10:48 pm
Posts: 1
Thanks for taking the time to provide the fix.
Top
 Profile  
 
dfirsching
PostPosted: Mon Jan 23, 2012 8:19 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Feb 03, 2008 4:59 pm
Posts: 11
Yes, thanks once again!
Top
 Profile  
 
erickaps
PostPosted: Fri Feb 24, 2012 11:42 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Aug 17, 2006 9:27 am
Posts: 83
Location: United Kingdom
JComeskey wrote:
OK, with the help of Brian Lavelle at belcommunications.net, we've made a few changes to the QContacts 1.0.6 code, including switching the function from "JRequest::getString" to "JRequest::getVar" to filter out all HTML and trailing whitespace from form values. And a few other tweaks.

Either way, we believe that the original reported risk was related to admin backend sorting only. So anyone that is hiding their backend access (with KSecure or some other tool) can probably consider this to be very low risk.

We have also decided to use Marco's SQL Injection plugin (http://extensions.joomla.org/extensions ... tion/12731) as an additional layer of protection for all of our sites.
Attachment:
com_qcontacts_1062_revised.zip


Thanks for this, perhaps your version could be republished on JED. I have a minor fix for it as well.

Good to know the SQLi vulnerability was only on backend, I had jSecure installed so only low risk as you advised :D

I've also installed Marco's SQLi plugin, all running smoothly so far.

Nice work!

_________________
http://www.starfishwebsites.com
In need of some loving... https://www.facebook.com/starfishwebsites
Top
 Profile  
 
colevr
PostPosted: Wed Feb 29, 2012 1:14 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Nov 11, 2011 1:35 pm
Posts: 1
Thank YOU!
Top
 Profile  
 
infowscr
PostPosted: Fri May 04, 2012 8:46 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Mar 22, 2009 2:05 pm
Posts: 5
Many thanks for this fix! I have been looking long for a workable alternative for qcontacts but couldnt find it. Really appreciated :)
Top
 Profile  
 
discotom
PostPosted: Mon May 21, 2012 10:38 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
Sorry to be a clueless newbie but how do i actually implement the fix that you guys have kindly come up with??

Is it simply about uploading the files in the zip, or should i use the Install Extensions option in the backend of Joomla???

Thanks
Top
 Profile  
 
menrique
PostPosted: Thu May 24, 2012 2:28 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu May 24, 2012 2:23 pm
Posts: 1
Great job. Any one here know how to reuse the captcha of qcontact in a component made by me??
Top
 Profile  
 
discotom
PostPosted: Thu May 24, 2012 2:34 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
discotom wrote:
Sorry to be a clueless newbie but how do i actually implement the fix that you guys have kindly come up with??

Is it simply about uploading the files in the zip, or should i use the Install Extensions option in the backend of Joomla???

Thanks


any help would be much appreciated - sorry for being a pain!!

thanks
Top
 Profile  
 
JComeskey
PostPosted: Fri May 25, 2012 4:16 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
discotom wrote:
Sorry to be a clueless newbie but how do i actually implement the fix that you guys have kindly come up with??

Is it simply about uploading the files in the zip, or should i use the Install Extensions option in the backend of Joomla???

Thanks


This is a complete component zip. So just use the normal Extensions Installer in the backend of Joomla. You may need to uninstall the old version first. So if you get an error saying that the directory is already occupied, then uninstall the old one and try again.

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
discotom
PostPosted: Mon May 28, 2012 2:55 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
Thanks a lot for your help JComeskey.

I have successfully installed the updated version, however the problem i was having (which i assumed was to do with Joomla not allowing the vulnerable Qcontacts from exectuting properly) persists even with the update.

Basically my issue is that i have a db full of contact details accessible through a members section of a site. In using the search form the search results are returned (name and some basic other information) with the name as a hyperlink to go to the full contact details.

Thus the search form interrogates the db okay to return these results. However, when i click on the name to go to the full details i get an 404 error - any ideas??

thanks in advance for any help you can give
Top
 Profile  
 
JComeskey
PostPosted: Mon May 28, 2012 4:49 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
discotom wrote:
(which i assumed was to do with Joomla not allowing the vulnerable Qcontacts from exectuting properly)


The Joomla software is nowhere near advanced enough to do this.

discotom wrote:
Thus the search form interrogates the db okay to return these results. However, when i click on the name to go to the full details i get an 404 error - any ideas??


Well, in what db tables is this contacts info located? In the QContacts tables? Or in some other component table? Do you have a menu item published to QContacts? Can you provide a front end link and an example of one of the searchable contact names?

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
discotom
PostPosted: Tue May 29, 2012 1:19 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
In the QContacts tables.

Yes - there is a published qcontacts menu item - links to a category.

clicking on the menu item returns all the people of that category but clicking on the name (link is /index.php?option=com_qcontacts&view=category&catid=49
or in real terms
/index.php/en/database/czech-vicariate/54-cz/21142)

just gives a 404 error.

An example of a name is Fr. Adam Cynarski but as you can see above it is using the id as the search parameter...

i don't understand why it's suddenly stopped working...
Top
 Profile  
 
JComeskey
PostPosted: Tue May 29, 2012 5:40 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
Are you using Joomfish and/or a SEFURL component (like SH404SEF)?

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
discotom
PostPosted: Wed May 30, 2012 7:04 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
We do use Joomfish and we have a SEF component listed as System - SEF.

...
Top
 Profile  
 
discotom
PostPosted: Wed May 30, 2012 10:54 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 04, 2011 12:21 pm
Posts: 16
Thanks for the pointer JComeskey. I read some articles on SEF and it turned out that if i disable SEF in the Global Configuration, everything works fine. With SEF enabled however it gives the 404 error.

i have disabled it for now but it's a shame that having it enabled causes probs with Qcontacts.

Thanks once more for all of your help. :D
Top
 Profile  
 
JComeskey
PostPosted: Wed May 30, 2012 2:16 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 28, 2007 5:52 pm
Posts: 113
Location: Dayton, Ohio
OK, this is maybe a dumb question, but what search function are you using? I'm not even sure how to search my contacts list...

_________________
RESIST Theocratic Police-State Feudalism!!
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 19 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Extensions for Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 17 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group